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(57) Abstract 

This invention relates to methods for controlling and monitoring access to network servers. In particular, the process described in the 
invention includes client-server sessions over the Internet involving hypertext files. In the hypertext environment, a client views a document 
transmitted by a content server with a standard program known as the browser. Each hypertext document or page contains links to other 
hypertext pages which the user may select to traverse. When the user selects a link that is directed to an access-controlled file, the server 
subjects the request to a secondary server which determines whether the client has an authorization or valid account. Upon such verification, 
the user is provided with a session identification which allows the user to access to the requested file as well as any other files within the 
present protection domain. 
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INTERNET SERVER ACCESS CONTROL AND MONITORING SYSTEMS 

Reference to Appendix 

A portion of the disclosure of this patent document 
contains material which is subject to copyright protection, 
5 The copyright owner has no objection to the facsimile 
reproduction by any one of the patent disclosure, as it 
appears in the Patent and Trademark Office patent files or 
records, but otherwise reserves all copyright rights 
whatsoever. 

10 Background of the Invention 

The Internet, which started in the late 1960s, is a 
vast computer network consisting of many smaller networks 
that span the entire globe. The Internet has grown 
exponentially, and millions of users ranging from 

15 individuals to corporations now use permanent and dial-up 
connections to use the Internet on a daily basis worldwide. 
The computers or networks of computers connected within the 
Internet> known as "hosts"; ""allow public 'access "to 
databases featuring ihf 6£m#feibri : in nearly every field of 

20 expertise and ... are suppprt§db *>Y entities ranging^ from 
universities and government to many commercial 
organizations. ^ 

The information on the 'Internet is made available t to 
the public through "servers" r A server is a system running 

25 on arTrlnternet host for making available files or documents 
contaafced within that host. - Such files are typically 
stored on magnetic storage devices, such as tape drives'" or 
fixed., jdlsks,-> local to the; 1 , host;* An Internet server may' 
distribute information to^any computer that requests' the 

30 files 6ji a lipst. The computer , making such a request is. 
known as; the "client", which-^inay be an Internet-connected 

> : il<J ': ' ' ' _ 
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workstation, bulletin- board system or home 5 personal 
computer (*Pe),. v. ■■■-j ■••-:! ">.•'.' '£ ~- ' - :<s * 

- • TCP./.IR ; (Transmission Control Protocol / Internet ^ 
*V;Ot&QOl~)z is one networking protocol 1 ' that permits ''full use 
5 of the r lnternet.o All computers dw' a TCP/IP nelw6rk need 
.« unique^ ,I-D codes., : Therefore, -each- computer or" host on the 
Internet is; identified by a r unique number code, known as 
the IP (Internets P-rotbcol) number or address, and ~ ' 
correspond ing-i network and computer- name's'. " in ^thV past , an 
. J- 0 :. Internetfuser. gained access tV its resources only by 
; ; . identif yingr the. host- computer 3 -and a "path through " 

• d i-r.ectories i! within the 'host's storage 2 to locate" a requested 
file i. t Although c various navigating" tools" have" helped' users 
P.°i search\resources on the" internet- without knowing ~ 
15 specific host^addresses, ^tfiese tools "still require" a ^ 

substantial '-technical -knowledge of thle* internet ~l A 
. . .iT^The s Wor Id-Wide -Web (W^b) is a " ; meth6d of accessing 

information ..on the. Internet -which allows a user to ' navigate 
,the internet resources intuitively -, -'without IP 'addresses or 

2 0 other technical knowledge. - The Web -^dispenses?' with command- 
s-line utilities , which typically' require a user' to transmit 

sets, of commands -to communicate with ; an Internet server. 
• Unsteady ;the^ Web vis made: up ^f^ hundreds of thousands of 
interconnected "pages", or documents, which" 'can be 
■25 [ displayed on a computer monitor. The- Web pages" are 

: provided, by - hosts running- special servers . '- So'ftware which 
runs .-these Web servers is relatively simple khd is 1 ' " 
available on- a -wide range of 'computer^ platforms 2 including 
- PC's. Equally available is-a forni of " client' software, 

3 0 ./known, as a -Web -browser", which" is - used to : display Web 

pages as well as traditional non-Web files on theclient 
system. Today, the Internet hosts which provide Web 
servers 'are -'increasing '-at aerate' of more' than 300 per 
month, en route to becoming the preferred method of 
35 Internet communication. 
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?" a *r ed , in l?91«. :: £he Webo-isr.fcased on the concept of 
"hypertext" and a transfer method known as 5''HTTP" 
(Hypertext, Transfer Protocol), « -RUTRrxs designed to run 
; pr * m ^f* y .? ove S :"5 C ?/;? P - ai ?d uses .,the sstandard. Internet' setup, 
5 , Whei V?v§ , se * ver L."A ssue ® t;he, data; and m client; displays or 
s - p "v e f^ es ; : ;A t -. . P^c f ?£x?at - : information, trarisfe^is to 
r r ^u e S??^. J? 18 *^ hypertext. .Mar^up/^ang'uage (HTML) . 
HTML pages ajre jf madje up, v pf. standards texts ; as: weajl as . r.i 
f . ?° rm ® 1 r% in .9; cod^s ft wliich...in4.4.p^g : .; how the^ page should be 
i° displaced ^The, .w^b client , a= br c owser ,i reads- these codes in 
order to display,, the page^ J; ; The-, hypertext, conventions 1 and 4 
, r ^f^ d ? ^f^^^^^r ?^ ;Wo^l$:wi<Je .wjfeb:/ aresdes©rlfc'6d : * in - 
- ,-fPPf n #£? s * ?<£J?* J: Patent : App lieat ipncSdr ia 1 No; : v 

' 08 /^32S / 13.5 , file^on ^Qcjober, 24 , ;T 1994 , cbvr Favrie eta a 1 . 
15 which is incorporated herein ; by : ,referenee;^o;: I 'a j o ' ^ 
Ea .?t-?-^i? a ?^.'* m ^ ?P n 1feain pictures? and [sounds,: in m 
^^i°!? f to .t^xt; ^..Hidden .behind, certain ftext, -pictures orf( 
sound^ are connect ipns^ v^nown :j as , -^hypertext links" 1 : > 
^"Hn k f"^' to - other pages ^within r the same server : or even on 
20 other cpmgut^s .within tfee Internet., Fqe example, links f 
, .^y.^. vi^^Xly displayed x as -words or. phrases :that may be 
;.^derline<J_pr displayed ^iij. a- .second ^olorv; - Each link is 
di ^ Bct ^ il }:R- V" eb P^g^^^ii^ng. a, spe^ul^ name called a URL 
(Uniform ^Respurpe L^atpr^ URLs* enable a; Web browser to 
25 go di 1 ; 6 ^^ tP; ^:f; ile . a^y W.eb server :- Ai user may 

specify a^J^pwn, it directly^ into:* the 

command o^a^Wpfe pag^r.to ^jump to another , Web page. 

_ , t r ; ^, T * l %V< KLl , n ^fff a ? >. s y^ft?? 59 ns J- s ts of three parts: the 
tra ^L sfe T t] ^f h ??^ P 3 ?"? of the machine that holds 

the / fi l e /., a £ d - .^ he , P at ^; to n .the file. .An example ~. of % a URL ^ 
may be: _ t ... 

* fct P? //|^f^ college . uni edu/Adlr/BdJ^r/Cdir:/ pa</e „ Ji fcitjl , 



- WX>^96/42041 



v PCT/l)S96/07838 



, : .where : t| ;http" represents the - transfer protocol ; a 5 cbl6n and 
two .forward . slashes (z/ : /) arrd -u£ed to steparateT tti«L ^transfer 
« ; .f f ormat from the "host name;' "vh^. collegWJuniv. edu" lk the 

^hpst name in which "www"' denotes €hat the f ile beirig" 
5 requested is a Web page; "/Adir/Bdir/Cdir" is a s^t "of ' 
directory names in a. tree structure , or a path/ oil the host 
machine; and "page.html" is the file name with an 
indication that the file is writteri^'ln HTML. p ~ 
t ; . - • The Internet maintains ah open ■ structure in which 

10 exchanges of . information -are made- cost-frfee without ' 
• i ■ . restriction'; ... The free access r f ormat inherent to thV ' : 
Internet-,, -however:; presents': difficulties f or ' tfrbsV ' 
: s information- providers:^ repair ihcf cohti-oi b^r thfeif internet 

: seryersc,T Consider for example/- a -research organization 
15 : i that may want.', to make: certain technical intb^matioh 1 " 

available A on its Internet server tb a : large group of h ' c 1 
colleagues around the globe ^-butf - the : inf ormat ion mi^t be 
. kept confidential.^ Without means for identifying ' feach 
client, the -organization wbuid hot be abie ; to provide 
20; i information on the network 1 on ; a*' confidential or 

preferential basis..: In another Situation, a 'company may 
want to rprovide highly- specif id- -service tips over its 
- .Internet server oniy> to customers having service contracts 
or. accounts. * , '..V- ~r ~~:*\>.~ . *g : » r>z „ v. - K\ ■; 

25 ? : I.;- Access* control by an lTrite r rnet* server is "difficult for 

„ at least two reasons. First/ 1 when* a client sends a request 
Ci . forra file on a • remote internet" server/ th^ message is 
i= routed or relayed by a Web- of- computers connected ^through 
the Internet until it reaches "its destination' hdst\ The 
30 client does = not necessarily -fchow how" its 3 m^ss^e^ i-^a^tfes 

. the; server . ri At : the same t ime'f : the - server" "makes re's'pohses ' 
o " without sever knowing -exactly -who the client'* is ' or what its 
. ,IP address is. While^the server may : be pro^raniie^lo trace 
its .clients, the task df t'fabing * is : often 'dif ficuit , ik not 
35 impossible. - "Secondly, to prevent unwanted intrusiori into 
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. . ^ private . local area .networks,, : MAKy ^ -system administrators 

. implement various data-flow control, mechanisms, csuch' as the 
_ Internet "f irewalls"., within theirs networks..: 'An internet 
firewall allows, a. juser. ^to,,rejacb.",.the Internet andnymbUsly 
5 ,,yhil^ preventing intruders of the outside -world f ronr : 
accessing the. user's, LAN. .. J- ~ 

Summary of the Invention , . <- _ • ^ - ; - ; # ? _ • > 

. T he present invention relates to? methods of processing 
seryice^ requests- fro% a ^client- toi a vserver- through a " ' 

10 network . In ., .particulars the,^ present * inventicm-as apjplicabld 
to prQc^ssing Piien,t 3 reguestsa in an HTTP"- (Hypertext ^ : - 
Transfer PrptocoX) ^environment > suchr, asc thenwbr Id-wide Web * 
,(^eb r )y. pn<e aspect^of,; the ^invention involves forwarding a 
service request L from, the client to the ^server and Appending 

15 a session,, identif ication v (SID) ; t© the request ?and-tov> -V 
: f . subsequent ^ery ice .requests rom the client tot- the* i server ^ 
within a x session of v. .requests Ui In a preferred embodiirient , 
the present; method -inyplves^M f rota ?tHe 

server to the client, upon ,an initial .service request' made - 

20 hy the client. ,A .^alid -SID^ authorization 
identifier ;to allQW-.a. : -user,. jtp-racqess controlled cfile^s . 

. ... Ih-.a v pr^f errejii .embodiment* a client .request isirtede 
with a Uniform Resource Locator (URL) from a! Web browser. 
Where ,a client, xequesl;,.!^.. directed to. a controlled file - 

25 without an SID, : the Internet* server sui>jects.v the v client to 
an author iza£ion routine, prior t to, issuing the- SID, th*et SID 
being pr^otect^ii f rpm, f qrgery . ; ir A content / server : initiates 
Jkhe apthori^afcipn routine by,; redirecting the- client'^- 
revest to .an, authentication server vyhich may be at "a-.* 

30 ^ diff ;erent ^pst^^^ypon^r^cei^ing a. redirected requests -the 

authenticatipp^ server .returns v ^response to interrogate the 
client and^thep issues aii. SID to .a qualified client, :For a 
new client., th^, authentication seryer may open a hew 
account and issue an, SID. thereafter. A valid SID typically 
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-pomprises : a user identifier, an accessible domain, k key 
identif ier Cr : an expiration time such as date, ' the TP address 
; -of the user, , computer , ahd -an unforgettable digital ' 
v signature : such as a cryptographic "hash of ai'l of the other 
^5 litems in the SID encrypted with a secret key. The 4 
authentication server then forwards a' new rW^iiest 
consisting; of the original" URL" appended : by the" SID to the 
?Ai? nt in ' a REDIRECT.. The moditied^ request" foiritied'^y a new 
URL is- automatically forwarded by the 6lient browser to the 
10 content server. . r ^ : ; " ' > -- : * - * " : 

. ,When the content server receives™ a URL request 
accompanied by. an ;SID, it logs the^URL \Jith tlie :: SID and the 
v user IB address - in a transaction jiog-^ 

validate therJSID. Whefn the SID is : s6 : validated, "the 
15 ^content server Jseiids -^the 'requested dociimerit for display by 
-jthe client's Web browser. - 1 ■ 1 ' c " ? v 

; t - # t In/Jhe. preferred embodiment/' a J valid 'SID Allows the 
- client to access all- controlled files within a protection 
domain without requiring further autfhoriVatibnr A T 
2 P> 1 P?otectipn domain is defined by the ^service provider and is 
a collection of - controlled f iles of common protection 
^ - within.:, one- or more servers /- ~ 1 ' ' ; ..=.*. 

, ,; When . a. . client accessed a -'controlled Web page witli a 
valid SID, the user viewing" the page may want' tV traverse a 
25_ link to view- another- Web page : r Theire^are" Several 

. possibilities . - The user' -may T traverse" a link to another 
page^.in^the . same path. - This- 7 is"' called a 1 "relative J link" . 
.A: relative link may .be r made : either within the "same^ domain 
• r : pr to a different domain* r ^TJie ; browser v on : th& dlient : 
30 computer executes a -relative' link '* by rewriting the current 
URL to replace the old controlled page 'name * with a new'one. 
The:;new. jURL retains all "portions of thW -old; C including the 
SID,>.excapt for the' hew f>age" name. ff the * irelative "link 
.points: to a page in thfe" same protection "doniain; the SID 
35 remains valid, and the "request is honored.* 'However,* if the 
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„ relative, link points to, a .controlled, page- in a ? diff erent 'v 
:i protection ^domain, the SJ-D ..is -nor.langer valid,: and-the 

client ^ ^automatically redirected! to '.forward -the rewritten 
-~r. r y^h: M ^ e ^ au ^®P^aM°nv^e^eri;to- update:- the SID.' •: The 
5 updated or ,new. f SJp prpyides access to the new domain if the 
user is ^qualified. . , .... ,-.=.-'- ■:■.<*:•?■- 

. . Th % user . mav f a Isp* 6 - 1 eGt : tor traverse ac l ink ? to ~ a'- 
document, in. a. different, path,., ; ThisrlsT called an "absolute 
, link*' In., generating .a new absolute link/ r the SID is 
10 overwritten by the browser. In the pref erred ^embodiment? ! ' 
the. content , server > , in each' serving >bf a v cSntrolied Web ^ 
p ?5 e within the domain > filters the.;.pa ge v^o ^include the 
cu ?f en ^ -§J8 : ^ n i:f- ac ^ oabsplute sKRL-^on the ^page^ -s Hencef when* 
the user ..elects tp traverse :S an absolute II ink V the -browser 
* 5 v? a f il i^ a ^ e ^ v ? i t :1:i an ^authenticated rORL wfaddS* is Mi-rectedsr- 
with its SID to a page in a different* path. ' Xn- 'another $ 
, .f^° d 4 m ® n ^' : the c 9 nt , en t . se : r y.er may forego thff filtering 0*. 
, p ^°= ted ^ e as aboye^desc^ibed^na redirect-an absolute-URL 1 
to the authentication server, for an: updates n:t-:v.v.- 
20 'An absolute link -may,, also be directed to a controlled^ 

file .v n .-.. a di ^ fer .^ nt dpma^Ln ; . » 'Again,- .such: a request is 
redirected to the authentication- server f or pi-ocessing : of a 
new _ ? 1D '.' : ai?s .? lute - -link 5 d-4reet:.ed to an uncontrolled file 
..is accorded, an immediate^ , access. : ; > ~i : s . .z..Z "-- 
25 ln - an ?|;her. : embodiment, -^ be - 

~?? i "^f n 5 d : b .Y- P ro 9 ra ^ 1 ?ihg- the,, client browser -to : store -an 
. ' S - I P.( a .- v fl tti -^ ar ^99;: !?=■.„ use .in each . URL call to "that 
,.: p ^?c i £ u i? r v J ser y e F- 1 -Thi t s r ej5b^4ir,ent , however, -requires a 
special , browser., which - can .handle such communications and is 
3 P- . generally not suitable ( for |he standard browser format 
common tp!the Web. ... ■. = . r . .. . - .- . ■■ jy, 

; . -^ n °5 her a ? p ??~ of : t^. : .4?lY. e . nt i9n is to monitor the r ' 

frequency ,and duration of ..ac.cess ,,tp : various pagesc.-both-.: 
^"H^ 1 ®!^. ^"P^^A^ 3 * rA transaction; log wi thin- a 
3 f:- ^ on tent^ server ,.keeps._ .a .history, of : each client; access to a "" ' 
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page including the Jink sequence -through i/hich" the pkge was 
. v:-- accessed. Additionally, ' the- content server : ihay count the 
v -jr. client requests exclusive " ; of repeated £eqUest£' from a 

common client. SucH 'records provide important" marketing 
5 . feedback including ^use'r* deiriarid, access 'pattern, arid 

.relationships ^between - diistomet demographics and accessed 
ipages and access patterns. : v - * c " ~^,< u 
: . T ; The above' -and ^other features of the invention ' 

including various novel ^de tar Is of construction 5 ahd 
10 rcombinatioits^of parts r will now be" mbre particular!^' 

; descri/bfed .with 'ref ejrence to "the ' accomp^riyirig drawings and 

• r pointedvbut-Tinithfe claims .■" — will- be'" imderstood that the 

particular- device's, and methods ^embodying the invention are 
shown* by -way; of allustration : only ^ariff not as limitations of 
15 the invention. The principles* andf features ~&f ttfii r 
invention: may' be employed iri Var'ied^ and numerous' 
* embodiments * without departing" from the scope of the ' 
invention. *• ' ■ <- 7 Jt ~ !>: V ' ' - : ' ^ ! - - 

- 1 Brief Description of the Drawings : z - ' j " * " - * 1 - 
:2 0 . / i. Figure l is r a diagram ^Tiliustr^tirig the : Intfernet ' : 
'"-m operation*. 1 *' ' 1 -■.■■..-j *r.*- " *• 

^ - Figur<B-^2A is a f lowcliart ~describing n the pref erred 
1 method of • Internet l Server r access' control ^nd monitoring - 

Figure- r 2B is- a : related'' f loWcharti describing the* " : " 
25f . details of the authentication^procesis \ ; ' " L 

.1..; "Figure 3 iliustrates v an Example 6fa client-server 
? exchange -session involving c 'the r access 'coht£oi 5 knd * 
monitoring method of " the present inv^ritioh .' " ' " ' : ~ K t ^ 
: 5 Figure 4 is an example *of a World Wide ^eb page. 
3 0 : Figure 5 is an' example 6f aCn : authof izatibri f of™ page. 

: -Figure 6 is a diagram 'describing "tfie ~d4tail^~ of ~ the 

* translation of telephone lumbers ; to URLs . * ? ~ : 
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Deta iled Description of., the, -Invention 2 ... ; m . 

« . . Ref ? rr ^ ng - X ?°V 4 2 r awin g €3 / Figure l , a > graphical 

illustration of the . Internet The : Internet^ 10 is a network 
of millions : of r interconnepted computers .. 12 , including:- 
5 sy^tems..pwned by : .;ntefn§t,prQviders 16 ; and information 
. _ systems , BBS) 20 such as Cqmpuservo or ^Aigerica . Online. 

Individual or corporate users, may establish connections to 
the Internet in several , ways . A user on $ -home PC 14 may 
purchase t an account .through the Internet -provider 16 . 
10 Using .^modern 22. rn; the PC -user ean-dial up Internet " % 

p?royid[er v to connect -tp high ^.cpe.esl modem t2A iwhich;^ ±n -v.> 
turn (V pro ; v.ides. a,, full service,, epnivect-ionr ±<x the* Internet . > 
- •^; us ^-'. 1 i 8 JW*Y a^o v i5a?ce ^.somewhat l-iru-i&ed:: cohhectliorc to * 
; -i.- 2*5?:;^ n ^ e : ri ?-!?J t ^. h F au 9 h a BBS 20 *ha?fc p^vide&^an- clnterhet 
15 gateway ^onnectipn "to .its customers, - : 1 : 

'figure 2A ±s. a f lowphart detailing, th.es pref erred ^ 
process of thf . present invention, and ; Figure > 4 illustrates^ a 
sample Web page displayed at a client by a browser- ; The 
page includes text 404 which includes underlined link text 
2 0 412. The title bar AflS : ^^ Jjm^ heir ^ 4^)2 display; the title 
and, URL, of the current web > .page , respectively. As shown. in 
Figure 4, the title of the page is "Content Hoin^j Page:' and 
the cprr^sponding URL , is ^http : / /content com/homepage" . 
_ When. a. cursor 41^ ; is^ppsitaoned .oy^r link ; 4 text :: 4iab> the 
25 page which would be r retrieve^ : by clicking ;a 3 mpuse is 

typically identif ied in ^a, T staJ:u? r bar : 4 06 .which shows; the; ..; 
- JJ ^ J ppr. tha.'t link. ^ In, tfeis^e^rople^the status .bar .4 06 
shows,, that . the ^ ^ 412b , is directed to 

a page called V advertisement" in a commercial content, > 
30 server galled ; -iconteiit^. : ^y flicking on the link text, the 
user causes the browser to. g.enerate . a URL GET request at v. 

i ? ' Fi 9yf 2A. , The .browser ^forwards the request to a 
content server „ 12 0, ^which,. processes the request .by > f irst 
determining whether the requested page is a controlled 
35 document 102. If the request is directed to an 
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, uncontrolled _page, . as in '"advertisement" page in this 
example, the content ..server "-records the URL and the IP 
: address., ^o ( the. extent ,it is ^available in " ; the transaction 
.log 114. ~ The. content ~ serv^ then : sends the requested page 
5 to the browser 1;16 for display on -the user toinputeir 117 . 

If the r request is directed to a- doritrol led page, the 
contend server^ determines whether the : URL contains an SID 
. ip 2 .-: For: example, a URL may : be directed to : 'a : coht:rdlled 
„ ; page name e " report , such: as ^http:'// content . coin/import" , 
10 ;> r that requires an SID... If- no SID Is present, - as in this" 

. examplg., the content * server: sendis > a- 11 REDIRECT" response 122 
to- ; the,,browser; 100. tor redirect the user 's* initial request 
to. an authentication -server .^200 ^t6" obtain a" valid SID. The 
>J details -of -the '^authentication process are 1 described in 
15 Figure 2B and will be discussed • later >' ; but ; thS : r-e^uit of^ 
: the process -ds an SID; provided froiri the authentication 

server to the .client. In the above 'example/ a modified URL 
appended, with, -an t SIDi may.ibe:~> :' "http: //content ?com / [SID ] / 
: report" .. The, preferred -SIDl is a sixteen character ASCII 
2,0,- , string that ; encodes 96 bits- cf .SID 'data,- 6 bits' per c 

e - pharacter;. r It contains: a ^^32-»bit* digital "signature, a 16- 
. bit expiration date with a^^rariulairlty of one' houir, a 2 -bit 
key identifier. Msed f or ke^mahaglementv an ; 8-bit r d6iiiain 
; ; comprising a set of information- files to : which the Current 
25, , .Sip authorizes -access , and: a" 22-bit user" identif ier". 1 ' The 
remaining bits are reserved for expansion. The digital 
c l: ^i^nature .is : a cryptographic^hash of-' the 1 remaining items in 
: c the SID : and the authorised ^IP 'address 'which are" ehcrypted 

with . a secret key which - is shared By' ^he : ^uth^nti6atlon and 
30 . content servers. / ^ " *-t*^- - « ^ , ^ ° * * r * 
: : - If -the initial GET- URL* contains a -"SID / the content 
. server . determines whether- the* Request is directed to a page 
within the current domain- -ro'6% * r If the request having 1 a SID 
is directed to a controlled^jpage of'a^ (different ddm&in, the 
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; SID is no longer - valid, an»3.; again, the user ^is redirected 

to the . authentication .server- 3,22 • ■ - r '; r ; : w -.u 
. . . . , I f ,- t ^ e : "quest is £ .f or. a -controlled page w^triin -the 
current ^domain, -the .content ; server proceeds to-log the 
5 request. URL, ^agg^d with.. SID., and' the user IP address in 
> . the transaction log 108. -, A The vconte/it Carver then 
: r - va ^*— a % e : s _ j the SID 110* ..i rSuch; -valtidat-ion- aricludes the 

. follpwinglist ^-checks: *l)d*he SID >s digital signature 
is compared against the digital sighitura compited'^ f rom the 
1( i .: ^ n ^ items in,, the. SID. and thetuser IP address using^ 
. th A s e <=ret key ; shared^ by .. the- authentication and' content & 
^-;.^ rve F?/.. 1 (2 th§, domain, field.iof the- si^-isi ^ciiecjced to 

. v f rif ¥. itcl-s, within :the. domain iauthdV^eci* and (3) the 

.-. EXP - f?W, 9 t \.the,= SiD...is checked rfcoav#tfi£y that ii ' ^is 'later 
15 : ^an s 3th§^ciirx-gnt--,-1;| ; iiie. * a* -»>..... a • © i e-:-: v i •" '-. £ 

: :• v.- ??. -^ he validation passes rqthe content Server searches 
the .. ^9 :c be s? orwaeded if or any absolute t^L links' «. 
, c ? n tained ^erMn 1-12 ,s that,:ds- any links d-iredteb? to' 
- ; c .?. n *^?: e A - dpcuinent^ in .dif f erent content* serversV I The 
corrtien^ server augments ^ach^bsolutev url- 1 with the current 
SID to ..f aciUta^e, authentic t.ede -accesses across "multiple 
:' ( ?; ontent servers The requested page' as processed is-then 

transmitted to the, client browser for display 117. ' The 
ra ser -rY iew W, the requested; Web page; may elect' to^ traverse 
an V link., on^ that 3 pageitpc; trigger the entire -sequence 1 again 
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"i'S t .'. 2B.L des^iJ?es5 ( ;th$.idetails of the authentication 

, ^ oce f s .i- : T £ e con^en* -.server omay redirect the -client' to an 
«. a ?? h .???A c ? t i9 n vi- s ? r Ve r hs The REDIRECT URL might ^be: ' — 

"http: //auth . com/authenticate?domain= [domain] tURI^http: / / : 
.°° n ^ e ^ t ^ C : < ? ,n / r ; e P 0 ?: t,, • ...Trha^URL requests authentication and 

specif i ?? the dpmain and the initial URL. .In response to 
. ••^ I ^9P«t:^%.?5 li .ent browser automatical ly^ "sends 'a GET 

request with . the ; provided; ,yR^.. - ;:>.-..-....- •. '; 



BNSDOCID: <WO_964204 1 A2_l_> 



\WQ 96A42041 



'PCT/UiS9fe/07838 



-J:~ -12- 

. - . Wheneyer. the contend -server tedirectk the "client to 

- the. authentication served S^Ot) the 1 authentication server 
, ?r , initiates, the ■ authorization- process by Validating that it 
1b. for an.? approved > content server and "a-felfeirm^iiiV"' , ^e level 
5 3 of .authentication, required for the accesk r^eqties%ed ' 210. 
, : Depending ;on this level> -the -server- &ay' challenge the user 
212 for credentials. ^If the -request 'is^ foir a low level 
,^ ... document ,->the authentication ^may^isstife an appropriate SID 

u immediately 228;: and fda^ego r the-" credential checjt procedures. 
- :10,,If the document requires credentials; the authentication 

server .sends a*; -"CHALLENGE"* ' response Which ' causes the client 
. c . . browser to^prompt -the user f or credentials il4 . " 'a 
v \ preferred* rcrede^ of a request 

. f.or.cuser hamfe^ and^ password*. if 1 the user is unable to 
15 provide a" pasisworid, the Access' is denied r "The browser 
forms, an authorization header b 00 from the Infonnation 
provided, : and resehds 1 a GET request to the authentication 
server using r the- last URL1 along with ah 'authorization 
header. For example, a- URL'- of- such" a GET ireqiiest may be: 
=. ?0 f , , "http : / /auth . com/authenticatk?dbihain^ J [ domain] &dkl/=http : / / 
content.com/report and the- Authorization header may 
be : : "AUTHORIZE: [authorization] " r ~ " " 

- Upon receiving ^the GE*^requfe£t, the 7 authentication 

r, server queries an account "database 216* to determine whether 
25 the user is authorized 218 : to acc^ss v thd r requested 

document. ': A -pref erred accbunt 1 dataiDase may' contain a user 
-profile which- includes i'rif orlmatioh 'fbr identifying 
- .cpurposesy- such as* clieht IP' "address and password, as' well 
as- user demographic ^information ; such J as user ""age, "home 
3 0 address, hobby/ or occupation, for "later 'use By the content 
\~ rrserver;^ If the user" is- authorized,* £rf SID* is generated 228 
as previously described. * irthe iusef is not cleared for 
j -authorization, the authentication server' 'checks to see if 
the user qualifies for a- new" V6coiiht 220. "if* the user is 
35 not qualified to open a new account, a' page denying access 
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4' S ^ a ^ i >ted,.^o i . ; th # ,pl.^n.t -browser: lao. " if the user 
•: • - ¥, ^IJJLK**.', * he new- user, is- .. sent a - for^; page such as 
i ; . illus ?F- a ^ e ^ in n<P"& : 5 *q; initiate.: a. real^time^ ©h-line 
• _ . ^^^ftr.a ; t ? ipn 224 .. u . The, form, may, for. example.; require 

3. F e 5f ° nal - : i?£©i?»£fc*o.p .and, credit -references-, from the user. 
. ::, T ^ , b f? wse F- is ?ble £ to , . transmit the data entered "by - the 
, US f r „o n P?: ^ 1 ? nks -,?02 , f s,a,. -POST" ,»essage ; to the X c, 
'..f U ^!?^ a * io ? seryer - A POST- message causes "form contents 
to ,. b ? sent to the s^^^in.-a .data body "Other - than as part 
10 / ° f ^^;: J:* the registration form filled out by *€he hew 
U ? 6 ? : l n ^BP^Pri^jSiD ; is generated -228. if 

the ^ reg ^^ r t t ^r:^, n ^ t ^lide^cGess;^ & -«gain .denied 222. 
, . e ^" &&> : an : au ^°f Ai 2 ^ u ser 4:S; rappended-(Ataggfed») - 

1? ° ^ u e ;° r M* al . directed,. to, a. controlled page on 

15 p e content server.^ Mie, aut*enXica^i^;,:sjBa5yer Atoeit-.* ■■i- 
tra "M^ i a W ) ^ c ? /f? s P°B se : 232 ■based: < on, the tagged URl*r 
: . *°y^'?r?:& n £--? r & s m.}Sg£ . iThe modified URL, such', as :§ 
M ht£p:7/con : ^ i s automaticallys - 

f orwarded to the content .server-, 12-P> - . 
r - - fig^e 3, .illustrates- a,, typ^ 

involving the access, control and monitoring ..method -of . the 
present invention. In Step, i,. the client 'SO^funnihg*; a 
browser, transmits a CET p request r .throughia network for an 
uncontrolled page -XUCP)^ .For ..example, J:he user may request 
an ai3V ?^^,- Semen ^ : pa ? e -**X: ^Witting ::a .URL ..'Ihttp: //, * r i 
; C ?"^? n 5 V^ 7 ^?^^ 1 ? emetn1 ^v c where , ''content ^com" ;ds.. the 
server . name .and "advertisement" is,: the, suncontro lied -page 
name * , : ? n , s | e R the content- server. 52, processes the "GET 
request and transmits the .requested .-page,.: ; »advertisement" . 
content . : sej£ver also, logs; the. ; ,GET request in the - 
; , ^ ransac tlon da ; tab^e ^^.recpr^ng; the DRL, the. client IP 
. a ^ d ress, and the. current^. time. 

- I?1 -^ ep : : , 3 '- ^ ^ he . ^ s ^^: the , 9iient machine, may elect to 
. , traVer : Se , a lin M n advertisement page^ directed to a 

35 : v Control ?-. ed P?.ge (CP),. For. example,, the advertisement page". 
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: may contain a link to^ a controlled page called u Report " . 
• r £ Seleetingrthis- link causes- the- client browser 5 Cf to forward 
0 . , - a GET reguestv through a URL whicfi is * : associated ' vTith the 

report file ,, http: //content". c6m/report" . r "Th4^ content 
5 server 52 .determines that the request 1 is €o ' k 6ontjrolled 
• page and thatethe URL does not * contain" an SXD \ In Step 4 , 
,the content server transmits a -REDIRECT r£sp>6iise to" the 
client, and, in Step 5, the browser automatically isends the 
REDIRECT. URL to the authentication' server 54: J ' The REDIRECT 
: 10 URL, sent; ..to the authentication server- may contain the ' 
following, string: " - - : .v. - " * * -f 

• v. . ;^http ; / /authv com/authent icatfe?dbmax h*= [ d ; oma"'i : n ] fiURL=^rittp : / / 
content;.:com/ report" ■ ' . t; ; -"~^~ c :t : r . : vs % r a-. 

^ The authentication server 'processes the REDIRECT and 
15. determinies whether user credentials (CRED) T ate^ needeci for 

^- authorization.-,^ In Step 6,- the autherfticatidh server 
r V transmits , a " CHALLENGE" response 1 to" the eli^ht . As 

previously described, typical credentials crbiisi^t of user 
* . name and password ; " An authorization hWader ' based on the 

2 0; credential information is 5 then ' forwarded 1 by the 'client 

browser to the authentication server. For example, a GET 
r - - URL having- such an authorization' lieader is: " 

"http : / /autho . com/ authenti'ca€e?d6mairi= [ dbmain ] &URL=http : / / 
a{ .content; com/ report and the ""authdriz^tioh header may 
25 be: "AUTHORIZE:- [author izatiori] " * - The ' authentication server 
_ processes the GET "request by checkfng the Account^ Database 
> t : . v58 . * ;if-ra Valid' account exists f or : the . 'u^er , an~Sl£> is 
. ;; v;:; issued which -authorizes access to the cohtrblled pagd 
---.'"report" and all' the other' pages ; withih the ; doiiairi. 

3 0. :Vi*'-:As previously described, retire preferred" SID comprises a 
f; -„ ^compact ASCIT ; string -that -ehcddes : a user" identif ier , the 

r..-.:.- current domain, a key identic ±fer : > *ah expiration time, the 
- . .. ^client IP- address, and an ' unf oifgeable "digital' signature. 

In Step 8 > the authentication 's'erveir redirects the ^client 
35 to the'tagged URL, "http: //content . com/ [SID] /report" , to 
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the, client * In . Step t - the : tagged; . URL is : automatically 
f qrwarded Jby^ the |)r owser r a : s ? (SET; - request t p the ; coihtent 
. ^ server ; . ^ ^he, content^ server : logg^ the - GET request ^ In the 
. Transactipn database 56- by; : recording .th^ tagged UR*L, the 

: p r client IP^ .address ,. ;j and the current time ^ In " Step * 10 , the 
^content. server ,, : uppn -.validating the STD/ ^transmits- the 
. r^quest^d^cpntrolled vj>age r 1 ? report" .for . ^display on the 
^client ^browster. r . ... - r ^ . : y i ; --..i . ~ ^ 
. t - c ..According ..to, one -aspe.pt.pf < the '. present- invention, the 

10 content ^eryeir. periodically evaluates the record contained 
in the transaction log 56 to determine the frequency and'' 
^duration o£> . accesses. -to- the. associated. :conterife servfer. The 
server counts requests to- particular^ pagesrr.extfliisive of ; - 
repeated requests^ f rom a.^cpmmon client^ in order* to 

15 determine. the ; merits- of - the- information, on dif-f ereht f pa:tras 
f or, ratings purppses^ : By excluding; repeated calls , the *r 
system avoids distort 19ns. by users; attempting to- stuff the 
ballot box.* " . In r one. embodiment, the-. time intervals; 
between repeated requests., by a common client are measured 

20 to exclude those, r.eques.ts^falling withiri a defined period 

of time, • ^ . y fto ;. , . - ; - *- 

Additionally f t:he . server, may , at any given time', track 
access history .within ^client-server sessipn. ; \ .,?uch a 
history profile , informs ^the ^service ^provider about: - link 

25 transversal f requericies ^and, jlink paths f cll^owed by .users; 

This prof ile is r produced by filtering .transaction .logs from 
one or more servers .to %^lect> only transactions .involving a 
particular .user IE) (UID) ^ ..Two subsequent entries,.: A rand B, 
corresponding to. r;equest:s .from a given . user- in .these' logs 

3 0 represent a link traversal, from, document A to document B <■ 
made by the user in questi.pn.^ This information may be used 
to identify the. most popular .links to v , a specif ic page and 
to suggest where to insert , xiew links to prpvide more, direct 
access. In^another embodiment, the ' access history is: 

35 evaluated to determine traversed- links leading to a 
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purchase of a. product- TmaSe withi"^ commer 
information may be used> f or* Wkainple/ to" charge f'or 
. advertising-; based- on the number of link - traWr sals from an 
advertising page ; to a product page or based : on the count, of 
5 .purchases resulting from a ; path including the '"'"" ' 

advertisement.; In this embodiment, 'the server can" gauge 
" the -effectiveness of advertising by measuring" the' number of 
... T sales that; resulted from a particular page, link/ or path 

; , of links. The system can be configured to charge the 
10 merchant fox .an advertising page based on the number of 

- sales; that resulted from that page". ' v "' '"' ' ' 

-According? to another aspect of the' present 'invention, 
. :5 a secondary: server, such as J the authentication ! ^eryer ^2 00 
; in? Flgur.e • 2B;, : may: Access a" prearranged user profile from 
15, the account, database. 216^ aha ! include information based on 
such a profile in the user identifier field of the SID. In 
a, preferred embodiment,- 'the content "server 1 may use such an 

- SID. to customize user requested phages to include 
personalized content Based on °the user identifier field of, 

20 - i the SID.- : ' - - v -v. . ^i'-" = - " - - f .■'* r '- •"• ; • 

In another aspect of ¥he '^invention, the user may gain 
access- to domain of Servers containing journals or 
. , publications through a 1 subscript onY " in "such a" situation, 
the. user may purchase the subscription in advance to gain 
25 access to on-line • documents through" the' Internet.' ~ .The. user 
■■• : gains access to a subscribed- : ddcument over the internet 
through -the" authorization- procedure as described above.., 
where an authorization indicator is preferably embedded in 
a session identifier. ~In another embodiment, rather than 
relying on' a prepaid 'subscription, ' a user may be' charged 
and billed each time -he or she' 'accesses' a particular 
document through the Internet. ~°m that 'case, Authorization 
may-not:'be required so long 7 as the user"" is "fully identified 
in order ^tb be charged' for the "service . The user 
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identifica^ion. is 7 most appropriately, embedded -ih- the' - 
session identifier . described: above . ■-■< v. r:_ ■.„."; . 

I " -£°v?fr asp e p t of ..the invention, -- facilities' are 
provided to ,f llpw. us.ers. to ^utilize conventional telephone 
numbers or other . identifiers,: to., access . merchant services . 
These ™ er ? hant i services ; can : , optionally be ^protected using 
f* Ds ' ,, J n a Preferred embodiment,, as shown in Figure G, a 
Web browser client; 601 provides a "dial-' .command to accept 
a telephone number from a, user,- .as by clicking oh a "dial" 
i° on and inputting the telephone number through the ' 
keyboard . The browser, then- constructs/ ..a URL :of' -the -form '« 
"http : / /direc^pry ..net /NUMBER" , , where-, NUMBERl is^-the 
telephone nupber., or .other , identifier specif red:5by the user . 
. The ? 5rowS ; e f then Performs, a GET: of the document specif led 
1S , h K ^ S 'P^l:^ n fr c °.? tac ts directory server^ 6 02 / sending the 
NUMBER requested , in. Messages 1. - , - •« . .' 

In an °ther embodiment .,, implemented^ with .a conventional 
browser, ^ client € .Onuses ^a^fprm page. provided by directory 
server that prompts ; f.or ; a .telephone - number - or rother 

identifier in place of a "dial" command, and Message U'is W 
POST message to a URL ..sR^c^faed . by : this f orm -page .', 

Once NUMBER is received by directory server 601, -the 
dire ^ tory : ser y5 r us ® s . ^ aba . s ^.r&P4, to .translate .the JNUMBER 
*to a "target URL that describes the merchant server-. ;and; -j 
"document that implements , .£he service, corresponding; ,tro- p i> 
NUMBER.' This tT&nslat£Qjp o £a$. ignore , the punctuation, of' the 
" Um kf5/ ;^ er ®f °E e ^bedded parenthesis- or dashes are: not 

significant. ~ . . . - . ._ > 

». ... .. ... ... ^ l another embodiment, an^identif than a 

30 number may be provided, ^Fpr. .example, a user may enter- a - 
company hamtTbr product naige. ^without exact spelling .-: c in 

? UCh .',**-5f -® ^ ?-,? 0l i n ^ x " or 5l^S .-Phonetic mapping can be 
\used 'to 'permit words "thai;, ^und' alike to map, to, the same 
1 target URL. - " Multiple ident^f/ers. can also be. used;- such as 
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a telephone number in conjunction with a product „name or 
extension. ^ - - ^ - • j - 

In Message 2, Directory. r servejr 602^ sends a 'REDIRECT to 
client* "601, specifying the target URL for NUMBER as '. 
computed "from database 604. The client., browser 6.01 then 
autoiaaticai'ly sends Message 3 .to GET, the .contents of this 
URL. Merchant server 603., returns, this information: in 
Message" 4 . The server 602 might, have returned a .Web: page 
to the client to provide an appropriate link ; to, the ; 
required document. However, because server 602 makes a 
translation to a final URL and sends a REDIRECT rather than 
a page to client 601, the document of message 4 is obtained 
without any user action beyond ...the initial dialjinput. 

The Target URL contained in Message 3 can be an 
ordinary URL to an uncontrolled page n or it jean , be, a URL 
that describes a controlled page. If , the Target HULL : 
describes a controlled, page then authentication- is • 
performed as previously described. The Target URL can also 
describe a URL that includes an SID that provides a 
preauthorized means of-, accessing a controlled page. 

Among benefits of the "dial" command and its 
implementation is an improved way of accessing the Internet 
that is compatible with- conventional telephone numbers and 
other identifiers. Merchants do not need to alter their 
print or television advertising to provide an Internet 
specific form of contact information, and users do not need 
to learn about URLs. 

In the approach a single merchant server can provide 
multiple services that correspond to different external 
"telephone numbers" or other identifiers. For example, if 
users dial the "flight arrival" number they could be 
directed to the URL for the arrival page, while, if they 
dial the "reservations" number, they would be directed to 
the URL for the reservations page. A "priority gold" 
number could be directed to a controlled page URL that 
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^ ld -i*stf aut^enticate'^^ as ^elongingto \he gold % - 
users group, and then would provide access to the "priority 
1 " g0ld " P agdp A " uripubfishe : d^^assador» number could be 
directed to a tagged URL 'that permits' access to the " 
5.- ^priority gold" page without user authentication. 
■■> 3o - This" invention ha> particular application to network 
^ales-systems-such as presented In ifls/ Patent Application 
-:. - Serial NbV 0^328, 133^* lied" October^^ 1994 , by Payne ■ 
et^jal.c which' is •incorporated herein" by reference . 



10 Equivalents '^ 



■ '■■ I.' >"( 



f 7 l :* 



.-cc-iThdsfe sKifiia in^the r =ar^ WiW^ow^or^ "able to 
ascertain- using ho we than Vo^ine%^riinenlJati on , many 
- equivalents to ^the ? Specif itf ^hHodiments "or 'th e : invention " 
described herein. 1 TheW arid air other equivalents are 
15 intended to be- eWbmpassetf by the roliowing" claims. '! 
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Appendix 

/* TclIdSid 

* Scans an ascii line and finds an ascii SID. (no validation though) 

* Inputs : 

* Returns: . S:V-i-v .: ■• ■ .: s. - : r. ■ . ~- - * 

* ascii bin_sid, if a sid is found it is returned. 

*/ • 

int TclIdSid(ClientData dummy, Tcl_Interp *interp, 

int argc, char **argv) 

char *sidp # *cp; 
interp->result [0] = 0; 

if {argc ! = 2) • v r--.\ 

{ . - ^ ^ ; 

interp->result = "wrong # args n ; 
return TCL_ERROR; 

1 * ■ , 

sidp = (char *) strstr (argv [1] *, "y@@ n j i;" ' r " : ' ' c ' ' i>J 
if (sidp == NULL) return TCL_OK; ; ^ : ri 

cp = (char *) strstr (sidp+l,. M / n ) ; ' * ; : *■* " -' s -* Ji 

if ((cp NULL) && (strlen(sidp) ! = 19)) return TCL_OK; 
if ((cp - sidp) ! = 19) return TCL_OK; " '* 

strncpy (interp->result , sidp, 19) ,- 
interp->result [19] = 0; 
return TCL_OK; 



/* 

* Register commands with interpreter. 
*/ 

int SidSupInit (Tcl_Interp *interp) 

{ : ; , . _ ; 

Tcl_CreateComraand (interp, "packsid" , ' " '*£c£packSidi* NULlT^NULL) ; - 

Tcl_CreateCommand(interp, "unpacksid" , TclUnpackSid, NULL~, NULL); , 

Tcl_CreateCommand (interp, "unpacksidnovalidate" , TclUnpackSidNoValidate 

NULL, "-sv - * ~ - V " ^ ; 

Tcl_CreateCbmmand (interp, "is'sid"', "TclidSidT,' *" ""hull" NULL) • 

return 'TCEf_0K;- *" " " ~* - " * 
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* 

* :■*: ~\ 

* compu£e_ihash ^ _ t , rr£ .^^ .-^ 3 a.;:.;! - *. : :* J " \ 

* Compute the MD5 hash for the specified string, returning- the- hash as 

* a 32b xor of the 4 hash longwords. : * 

* ^ . . - v - ; . : t ; . \ <- : 

* Results : 

* hash int . * 
* 

* Side effects: t ^ ~ . y ±z .-r :.L~ ■ ' : -*..".*.* 

* None. 

. .... -* « ^ r - ' jf. : ^ 

* ' _ 

*/ s<r? + , . r * 

int compute_ihash ( char *str) 

MD5_CTX md5; 

unsigned char hash [16]; • £ -! :-p-i j - • 

unsigned int *pl; v 
unsigned int hashi = 0; t . 



MDSInit (&md5) ; 

MDSUpdate (&md5 , str, strlen L (str.) ) ; 
MD5 Final (hash, &md5) ; . 
pi = (unsigned int *) hash; . t . 



hashi « *pl*+; 
hashi A = *pl++; 
hashi A « *pl++ ; 
hashi A = *pl++; 
return hashi; 



o -.II 



* ticket, c ... _ r 
* 

*. Commands for TICKET. _ • - " - ; = -~ 

* 

* Copyright 1995 by Onen Market, Inc . . „^ , - - j 

* All^ rights "reserved". ^ . ^. , . - . * - : 

* This'*f iie'cbrifeaans 'proprietary and confidential information and .; 

* remains the unpublished property of Open Market, .Inc., -Use,, - 
♦""disclosure, or reproduction is prohibited except as permitted- by ; 

* express written license agreement with Open Market, Inc. 
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* Steve Morris „ c .. t ^, -■••„". . . 

* morris@OpenMarket.com . £ ^ .; 

* Created: Wed Mar 1 1995 • _ - -r l ^. : 

* $sburce: /orai/proj /master /omhttpd/Afc :tic/ ticket : c, v $ - 

* */ ' {/ \ \ ' V /7 V 

#if \ defined (lint) r < . . •;; . - • • - / 

static const char r.csi4J] - « Reader :„ ;/omi/proj /master/omht tpd/At tic/ ticket 

#endif /*not lint*/ . = ^ c . ; . _ 'i T - - .v 

#include <stdio..h> t~ ... i+ . r . . , • 

#include <sys/utsname.h> ■ . 

# include "httpd.h" . *-z»' : I 

# inc lude " md5 . h " 
#include " ticket. h n 



static TICKET_Server TicketServerData; 
/* ' 

t-3£^ file implements, all the- ticket/sid- relate* functions -for the server. 

-*-H he ^S[ ion . c .? m ™ands. RequireSID ahd.\joddcx eaa be~used : to limit 

* access .to groups, of files, based on-=the.autheriticktioii6f fcne requestor. 

; •* .tw. commands axe -very similar./ and onfy -Sif fe'r in' 1 the Method used to 

* present the authentication data.:(.<v4d! -the -URL arid- in handling of the 

* failing access case. For failing TICKET'S, a "not authorized" message is 

* generated. For failing (or absent) SID's. a REDIRECT (either* local or via 

* CGI script) is performed to forward- the^equestTto "an Authentication 
server. 

* RfguireSID^ domains [domain2 ; doma inn] ; • -J 

This command denies access unless the specified properties are 
. true, of .the. request. Only- one -RequireSID or xxxkx command'can 

be used for a given region, though it may specify multiple dbmains . 



. static v int / P-rcc.essRequires (ClientDat-a -clieritData, Tcl_Interp* *interp, 

int argc, char **argv, int flavor) 

static int DomainNameCmd(ClientData clientData, Tcl_interp *interp, 

int argc, char **argv) ; 

stati - c int GetDomain (char *domname," int dflt) ;' *" ' * ' 



' : ' • SUBSTITUTE SHEET (RULE 2S) 

BNSDOCID: <WO 9642041 A2_l_> 



PfeT/XJS9<5/b7838 



" -23- 

static char *GetAsciiDomain (char *domname, char *df l£) ; 
static int computer_ihash (char *str) ; ;;: u \' ■ '" 

static char *computerHash (char *str) ; 

static char *GetSecret (int kid); ' : 1 " ' • " % 

static int GetKidByKeylD (char *keyID) > - 7 - ? ' *- 1 " ' ' ' * 

static char *CreateSid <HTTP__Reguest *reqPtr, int dom, int uid, int kid, 

int exp, int uctx) ; 
static void f reeTicketReqData (void *dataPtr) ; 

static void DumpStatus (HTTP_Request *reqPtr) ; . - - - - 

s -.? tic xV > oid - T^^^DebugHooks^Clie'ntEfata clieht r Data;~ char *sufrixV 

HTTP_Request *reqPtr) 
static int ParseSid(HTTPJRequest *reqPtr) ; ' " 

static int ParseTicket (HTTP_Request *reqPtr) ,- 

static char *£ ieldParse (char *str, char sep, char **ehdptr) ; '"' ^ 
void TICKET_ConfigCheck() ; " * ' ' y ^'~ T * "* ■ ?A •. ' 

void DumpRus age (HTTP_Re quest *reqPtr) ; ~~ 



* TICKET_RequireSidCmd 
* 

* . -; xv?k£ck£ r tha£ thf , requested T3RL is authorized via r SlB" to access this 

* region. If the access is not authorized and we do not have a "remote* 

* * authentication servers. -registered, then an " u£ ? au thro i zed message 
. „ * ... .fs ^S^??^- if ^remote ^authentication server " lias beeri ' 

• * r -$eclared, -we;RED?-REgT-,1so that r.serveSv passing the requested URL and 

* reguired domain' ^ «.s, ; arguments . - . ■ - : i: 

Results : , - : , ^--r-j £ ( -2 -i * :i - -' " * K * : ~ " 

* , „ . Normal Tel result,-, : pr. REDIRECT request-. - • 

*- Side effects : 

* Either an "unauthorized ..access" message 5 or a REDIRECT" in case of 
error . 

v'-:-l- " " .••<•'•• - ••• ■ • 

static int TICKET_RequireSidCmd (ClientData clientData, Tcl_Interp *interp, 

int argc, char **argv) 

{ 

if (TicketGlobalData (Enables idEater) ) return TCL_OK ; 

return (ProceFsRe^iiresCclientDita.^interp, argc,. argV, ticket Sid)')' ; 
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*, ProcessRequired r _ .> ^ -_*.>-... p~vt . r - s.v .**"• :*-;**•"■«' 

, _ . t -~ .. T( -v, .">.j- * \ ::' j; lis i». ' - - ' ■ ' ~ 

. \" ^ - - - J ' ■■ » - * - — * — 

* Checks that the requested URL is authorized to access this ' : 

. * region. The error cases are treated: -dif ferently l f of SID v.s. TICKET. 

* For Ticket's, an unauthorized access generates a returned error 
message. * /-i . y*:* ; *r ? 0 

* For SID's, we first look to see if we : are°bperating "in" "local 
authentica ; 

* mode"',*, iwe. are, we. generate^ a -new -SIDV c intb w YhV : iki; 'and re-process 

the j . _o *• ■ -i ^ f k '^ 4 ^ , io::, ; *• 

* If, notr in., "local.": modeV we^lbok-^foV the 1 ~preWnce L "of a 
remoteauthenticati jA- * - « * " . - :X *- ;> - J 3/.T = - — ? - x 

* server, if. we -j have one; declafed I;j Kn the cbnf ?; 5fiie)' we REDIRECT to it 

pas ; j; ±j*^\7< --.*''r. ' -.7 - n ; J> 

* the ; FULL url .and a. list of - domains 'that would have been legal. If 

* authentication server was not found we return an error message. 
* 

* Results : * 

* Normal Tel result, a local reprocess s comman&V "or" a REDIRECT request. 

* Side effects: ',iO_j"rr .iz-z^z-yi 

* Either an "unauthorized access" message or a REDIRECT in case of 
error . 



-./_■ *t^??- c --i nt : p F? ces sRequiresaciientData^'clie^ 

int argc, char **argv, int flavor) 

HTPP_Request *regPtr = (HTTP_:Reqeus~t '*r client: -Dfitar? ~' ' : * : " T " 
HTTP^Seryer ^_*serverPtr ; '^-i J br:s . I ; *<'-" ; '•<**- - 

TICKET_Request *ticketPtr; I ^i^.i-r.:?. iE^le: ; v.v -j - .. i, 
- DString targetUrl ; . »•£ ^ -li s- a^- — - - ~" - * — - w '"o^i *w ?l.- . . ; 
DString escapeUrl;^. .sm.'-z-i L~\) *■ - . 3- V- r ^ - c " - r ' ^ 

i 

int i, required_dom; 

int f irstLegalDom = -i ; - : - - =- * !i - --^^^^--T:^-:-^--' r ' 
char *NewSid, *cp; v * *' 



: 7.PStringInit (fctargetUrl) ; • 
DStringlnit (fcescapeUrl) ; 



>r private and ticket speVif'ic^ extension data */ 
:»>serverPtr; ; ,:,,a " ^ Mv.-a;??^ 



/* fetch the server 
serverPtr = reqPtr- 
ticketPtr - (TICKET_Request *) HT_GetReqExtData : treqPtr , 
TicketServerData . tic 

ASSERT (ticketPtr != NULL); .t i") 
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/* compare the requesting SID/Ticket<DOM> to aut&ri^d list 'of domains */ 
/* a match OR any valid domain and a required domain of TicketFreeArea^is 

reguired_dom - GetDomain (argv [i] -i) ; .^r./o ? .\ 

t . -if ,(r^guired_dom- « 3:i ^ r ; jr -* .. «■ ;, ^:t- - 

; - 5 i ?.:i (iir ?, t3 ^^ lDo ^^^^fe f>isEffit^iegalbom fc-required_dom; r ■ ' * 
if ( (ticketPtr->sidDom == required_dom) | | *- 
x i (ti i : ^ e r t ^ r f ^^^-^ = KicketP^->sidDom ! =-^iy : W 

(required_dom =« TicketGlobalData (PreeArea) ) 4 ^ ; 

r - , w ( (ti cket:Ptr-j> ticket Itorv^=} jt^ quired^ ■ ~* " r 

(time(O) <= ticketPtr->ticketExp) && 3. 

(strcmp(DStringValue(&ticketPtr->ticketIP) f DStringValue^C&reqPrf- 

3~ r .»3*ir r.— aw .c: ro;- -<.i^'t z:i&r*2ira . * #v 

) - 

{ . - •• ■ 

DStringFree (&escapeUrl) ; * 
return TCL__OK; 'i \* 

} -,c,,, 

} 

/* count the number of domain crossing that caused re-auth */ 

if ^MY 9r ^^^f^ s ^> ■ &A.i«t:ipketf>tr->sidDom) ! - ^l>-incT idketCounter (Cou 

/* authorization failed, if this was a sid url, and local auth is enabled */ 
/* or this was an .access : tcj the r f gee^resa ;**/ * r c ' - /' " 
/* insert a new sid in the url, and REDIRECT back to- the client- "B? r 

if (TicketGlobalData (EnableLocalAuth) || . ?\ . ^ - -*■ 'VXIT 

( (f irstLegalDom == TicketGlobalData (FreeArea) ) >. * v^r.* : : 

(flavor ticketSid) && (f irstLegalDom » » r i»v) jar - 

{ " V., - Jf/ 

if { (DStringLength(&reqPtr->url) != 0) && ; A ; -h i c 

(DStringValue (treqPtr- >url) [o] != '/'')) " " ■ ^ ^ 

{ 

HTTP_Error(reqPtr, NOT_FOUND, "access denied- due to. poorly-- formed url").; 
DStringFree (fctargetUrl) ; : :7s t r : • ; i.-'l-rs-: -"'.o 

DStringFree (tescapeUrl) ; 
if ( ! ticketPtr->valid) c . 

DStringFree (&ticketPtr->sid) ; . 
return TCL RETURN; „ . „ r , . . , 

} 

NewSid = CreateSid(reqPtr, 



*: '3v 
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f irstLegalDom, ticketPtr->uid, " * 

TicketGlobalData (Current Secret) , TicketGlobalData,(LpcalAuthExp) 
ticketPtr->uctx) j - 
DStringFree (&ticketPtr->sid) ; 

DStringAppendUticketPt^ '\ ^ . . \T 

ComposeURL { regPtr , DS tringValue fcreqPtr- >url U &targe tUrl ) } . ] 
IncTicketCounter (CountLocal Redirects); 

HTTPJBrror*reqPtr, REDIRECT, DStringValue <&targetUrl) ) 
DStringFree C&targetUrl) ; .. • - * - ---- 

DStringFree <&escapeUrl) ; 
if (!ticketPtr->valid) 

DStringFree <&ticketPtr->sid) ; 
return TCL RETURN; ' "*' ' 1 ' " * * ' ''" " V'. 



* ... 
S 



authorization failed, "bui'Id 'the' REDIRECT URL arg's. * / 
/* If present, REDIRECT to authentication server.*/^, 

if ( (DStringLength(&TicketGlobaipatM^ v _ ticket 

if -(*{DS'trihgl/eng^ && " I'll'"- ~\ " - 

~ - r " - -(I>£triiigVai*ue : C&reqPt'r- >ufl ) '[0] ! = ' / ' j)' 

{ . 
■ A "/* £ * 4 HTTP^rror (regPtfr; ' NOTlPODND, % }apcetss denied;^ formed url«); 

; DStringFree'(&targetUrl) ; " "V/ ' ^ ' ^ ' 

DStringFree ( fcescapeUrl ) ; * ■ ----- c ■«•-- -■ - ■ 

if ( IticketPtr-svalid) [" ? ^ ~" " „./TJ* 

DStringFree (&ticketPtr->sid) ; 



return TCL RETURN ; 



} 

DStringAppendUtargetUrl, DStringValue UTicketGloba lDat a (AuthServer) ) , -i) 
DStringAppendUtargetUrl, "?url««, -i) ; ^ 

ComposeURL(reqPtr, DStringValue ( fcreqPtr- >urlT if &escapeUrl : ) , \. 
EscapeUrl.(iescapeUrl) ; ' 

DS tringAppend ( &t argetUrl , DStringValue (fcescapeUrl ), 1 ) r ;. r , ^ 
sDStr-ihgAppeal <&t argetUrl*/ n '&domain=yV ^ij ; ' " * ^ . . „* * s ^ , . - 

DS tringTruhc ( &e*s capeUr 1 r d*) ? " r : - - - - - J w ~ ~ * 1 ' * 

DStringAppendC&escapeUrl, n {«, -i) ; 
for (i=l; i < argc; i++) 

{ ' ' ' 

cp = GetAsciiDomain*argv[i] , NULL).; . „ , 
if .(cp != NULL) "' '' ' : "'" " 

{ 

DStringAppend(&escapeUrl, cp, -1) ; 
DStringAppendC&escapeUrl, » ", -1) ; 
} 

) 
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DS t ringAppend ( fcescapeUrl ,"}«,- 1 ) . 

EscapeUrl (&escapeUrl) ; ..r -• j - -'^ 

DStrihgApperid(&targ^^ 

DStringFreef&escapeUrl) ; 

HTTP_Error(regPtr, l REDIRECT, D^tringtVaiu^ ( &targe£yrl) ; ) - . . '-.^ 

IncTi eke t Counter ( Co\mtRemoteRedirect s ).; , _ 

DStringPreef&tar^e'tTJ'rl) ; * ■ — , ■ • — 
if ( !ticketPtr->valid) i :> ""* ^ - " - 

DStringFree't&tfdkWtP'tV-'Wsi'd) V * " ' ' / . "~ 

return TCL_RETURN; - -. -t, - 

} " : 

/* authorization failed, if this is a ticket access:,; decode the-/, 
/* reason and handl via a redirect to a handler, or punt a */ 
/* no access message */ 

if ((flavor == ticketTicket) « _ (f irstLegeODom ^ % <ticke t Ptr,>ticke t D 

/* check For IP address Restrictions ~*/ ! ^" ^"T." " ' '/-.^ 

df :('(DBtring-Length'(&tlcfee^ -*5 n - r — - ' 

(DstringLength ( &TicketGlobalData. (Ticke^drHan,Ueri ^. J-^) ^ 
^ < s ^n*<astringVa^ 

DStringAppend< & targetUrl, DStringValue ( &TicketGlo^>alData{TicketAdrHandle 
* DStringAppend"< &ta^eturl\ DStringValue (&ti eke tPt^f ieldaK^-U ; 
DStringAppend(&targetUrl, n &url= n , -1) ; ^ 
DStringAppendUtargetUrl, DStringValue <&reqPtr->url) * -l) ; 
IncTicketCounter (CountTicketAddr) ; „ ' . \ 

HTTP_Error(reqPtr, REDIRECT, DStringValue UtargetUrl) ) ; 
DStringFree (fctargetUrl) ; 

return TCL_RETORN; ' J " 1 

} _ 

/* check for expired tickets */ ;SJ "* ^ ' J ** ' "'^ 

if (time(0) > ticketPtr- ^tickeVEx|>^ " *^ " " ] f ' V ['I 1 

DStringAppend ( & targeturi r r^ - ^flxigVa^ 

DStringAppendUtargetUrl, 1 DStringValue U.ticketPtr.>f ields) ; ' 

DStringAppend(&targetUrl, M &url= n , -i) ; 

DStringAppendUtargetUrl, DStringValue (&reqPtr->url) /Vl) ; V * - 

IncTicketCounter { Count Expi re dTicket ); /* 

HTTP_Error (reqPtr, REDIRECT, DStringValue < itarget Url ) 
DStringFree (ttargetUrl) ; 
return TCL_RETURN ; 

} } ' " ' '-' ? 
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/* no handler, punt a message */*;•:•■;* • - .'jl .^':.s 

HTTP_Error(reqPtr, FORBIDDEN, "access denied by Require ticket/sid region 

CO „ : ■ t ;. r , " '•- - ^ ■ ** ~" 

IncTicketCounter (CountNoRedirects) ; 

if ( !ticketPtr->valid) ■ ! -- : ' - • • ■' ■ > ' 

DStringFree<&ticketPtr->sid) ; c : : " ' 

DStringFree(&targetUrl) ; ; r,:;: - ;t '-'-'- :: ' 

DStringFree (tescapeUrl) ; 

return TCL_RETORN ; '■*'* ■ * it '' 1 : - * • ' ; 

} , - - - ' - r „ 

/* 

* , ^;;-f * • * ." . - • - 

* Get (Ascii) Domain ; , - . v 1 ■ - :: >: 

* These routine performs an ascii- to binary domain name lookup, 

* indexed by ' key/,) - : from the- -server's domain naLme' catalog, ' i^e/nu^er 

* pair's are loaded into the catalog at configuration time' with 'tie 

* with the "Domain" configuration command. The Ascii version returns 

* a pointer to a character string that represents the domain number.. 

*_The .non Ascii -version returns an integer representing the domain number. 

* 

* Results: - :: : 5 ;: " - *' ' 

* Integer value of domain. If no domain is available, returns deflt. 

* Side effects:. .T ^ ' 



static int GetDomain (char *domname, int deflt) 
{ 

HashEntiry * entryPtr; 

DString DomName; .J.M i- 



..J 



. ..DStringlnit (tDomName)- r " ----- - 

DS t r ingAppend ( &DomName , domname , - 1 ) ; 

strtolower (RStririgValue ( ^onTOame > > * r< 

entryPtr = FindHashEntry (^TicketServerDataVDoTT^ins^ 
DStringValue (&DomName) ) ; * '■ : ' > -* : * ~ * * 

DStringFree (&DomName) ; 

if (entryPtr NULL) return deflt; : 
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return (int) GetHashValue (entryPtr) ; * ^ ^ < 

static char * GetAsciiDomain (char +domname, char *deflt) 

{ ( 

HashEntry *entryPtr; * ^ r~ 

static char buffer [64]; ; : , . . ; r ' : 

DString DomName; , :> f; rr . . 

DStringlnit (&DomName) ; : . -i7?s~ . 
DStringAppend (DomName, domname, -1) ; 
strtolower (DStringValue (&DomName) ) ; 



entryPtr = FindHashEntry (fcTicket ServerDat a. Domains , * - - 
DStringValue (fcDomName) ) ; 

DStringFree (&DomName) ; - £! j 

if (entryPtr == NULL) return, deflt;* ^ - 't *cj . • 

sprintf (buffer, (^t) - GetHashValue (entryPtr) ) 7 ' ^ : = 



return buffer; 

r <A 



* TICKET InsertLocalSid -- 



* Given a URL, inspect it to see if it refers to the local server /port 

* if it does, and it does not already contain a SID, insert one. if 1 

* the current request included one. Note, for port 80 access we Took 

* for a match with and without the port specifier 1 . 



* Results : 

* None . . 
* 

* Side effects: 

A SID may be inserted into the URL. 



void TICKET_lnsertLocalSid(HTTP_Request *reqP.ttcv DString *resiilt}- 
{ 

HTTP_Server *serverPtr; ; , ; ■ _ \ - \ - : ' - 

TICKET_Request *ticketPtr; - -v . . :v 



char tmp [32] ; 
DString patternl; 
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DString pattern2 ; " - 

DString tmp_url; 

DString *hitPattern * NULL; ; : - 

\ 

ticketPtr » (T??KET_Request, a) - HT.GetRegExtData'XreqPtr / vV 
TicketSeifverData . tic 

if (ticketPtr » NULL) return; 
serverPtr = reqPtr->serverPtr; 

DStringlnit (fcpatternl) ; ; ? :*:= , * 

DString Init (&pattern2) ; 

DStringlnit (&tmp_url). ; . . - - r 

DSt:ring^pend{&patternf , .vfettp ://'!, -i) ;i V- 
"DStringAppend(&patternl # DStringValue (&serverPtr->serverName) , . 
DStringAppend(&patteni2, DStringValue (fipatternl) , . -l) ; 
sprintf (tmp, ":%d", serverPtr - >server _port ) ; - . ^ 

DStringAppendUpatternl, tmp, -1) ; ; t : r , * : - . t 

if ( (DStringLength (result) >= DStringLength Upatterhl) ) && ' : ' -~ 
( s trncasecmp (DStringValue ( &patternl ) , DStringVaitieH result ) 
DStringLengt hitPattern = &patternl; -m J_ j. t r; : . . 7. : . 

else 

if ( (serverPTR-->server_port « 80) && ; ^ 

(DStringLength (result) >= DStringLength <&pattern2) ) && : : * " * 
( s trncasecmp (DStringValue (&pattern2) , DStringValue (result)*/ " 

DStringLength hitPattern + &pattern2; • • -j ; . 

if (hitPattern ! = NULL) 

DStringAppend(&tmp_url, DStringValue (hitPattern) y* -1"; ' : . / : - 
DStringAppend(tmp_url, DStringValue (tticketPtr- >sid) , -1) ; 
DStringAppend ( &tmp ..url , fiDStringValue ( result) " 
[DStringLength (hitPattern)-] _ — - = i> y o 

DStringPree (result).; . , , i: : f. ,> :! -h 1 : i : : ' 7 

DStringAppend (result, DStringValue ( ttmp^urTp,. - ■ •'' : - ' " 

DStringFree(&tmp^url) ; Ui - - . r:.. 

} , ,-: 

DStringFree (&patternl) ; 
DStringPree (&pattern2) ; 
DStringFree (&tmp_url) ; 

} 

/* 
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* CreateSid ' ■ : • . 
+ 

\ 

This routine cak^, the? passed /arguments and -creates a sid" ' ~ 

* r . • : *. :.r- i . . 

* Results: . . * TV **. ■'.-**:. 

* A sid. . ■ ■ -~r . -- 
* 

* Side effects: ■ ' : .u - : 

* ... f; * 

*/ 

char * CreateSid(HTTP_Reguest - *r*qFtr ; - lit dom, : intf uid/ in£ ^/ int exp 



int bsid[3) - {0,0,o}i-- ' vr.. - 
char temp_str [512] ; 1 .1 - 

DString hash; 

int actjia^h-;^-:^.^. ,r* f.v ^ — 
static, char- sid; [64-]^; : i 4 " T : " ?' r "- 
unsigned int expire__time ; 
char * secret; 

char *hashP; -l = , : ? 

char *cp; , - : 

unsigned * char *ecp>/— - n 
uns igned int e da ; ; a ^ „ 

int endian = 1 ; 

DStringlnit ( fchash) ; 

expiire_time =time (0 : ) + : jexpr;; . ; 



put_sid<doTn_lw, (-dgnyposv ^domfmask, ■ ~ "dom) ; : '~ " " - c 

put_sid(uid_lw, uid_pos, uid^mask'-, "uidj; r 

put_sid(kid_lw, kid_pos, . kid_mask, Wid) l ; ~ - 

put_sid(exp_lw, esp_pos, exp_mask, 

(expire_tirae>>exp^shf t_amfe)J .-.r ,,- if* ■■'?. - . . -* - *. 

put_sid(uctx_lw, uctx_jpos, uctx_niask, uctxT; " " * Mv 

put_sid(rev_lw, revjpos*, revjnask, sid_rev_zero) ; 

secret = GetSecret (kid) ; . ™- 1 ' 1 : - : - 

ASSERT (secret I = NULL) ; ~ 
DStringAppend(&hash, secret, -i) ; . - 



: . r . ^MBSITTUTE: 5HEET : (.RULE 26) 



WO 96/42041 



< FCT/JUS96/07838 



-,r.£- -32- 

DStringAppend { &hash, DStringValue { &regPtr- >remoteAddr) , -l ; 
sprint f <temp_str, »%08x%08x", bsdd[2] >bsid{i] .).; - 
DStringAppend(&hash, temp_str i -l) ; 
/* format of the hash string is %s%s%08xt0fix" , { 
secret, ip_addr,bsid [2 [,bsid[l ; : ^ 1 • >' 

hashP * DStringValue (fchash) ; zr.i r ; : 

act_hash = compute_ihash (hashP) ; ; „ : . : * 

while (*hashP ! = 0) *hashP++ = 0; 

DStringFree (&hash) ; , 
/* fix_endian(&actjkash,. ; ecp, eda) 7 *</ r. • r-.: zr : v.* - 

-put_sid(sig_lw, sig_pos, sig_mask, acfcjhash) ~ 

/* fix__endian(&bsid[0] , ecp, eda) ; */ r .: ^ 

fix_endian(&bsid[l] , ecp, eda); . 
f ix_endian*&bsid[2] , ecp, eda); . , 

#if (1 « o . 

DurapSidO ; 
#endif 



cp = radix64encode_noslash( (char *) bsid,- 12) ; - * - 

strcpy(sid, SID__pref ix) ; 

strcat(sid, cp) ; ~ ■.-'■> - 
free (cp) ; 

. return v (sid) ; .. . . ^ :: r : .i - . - ; . ■ 

/* .: * 

* . . , - - 

* 

* compute__hash -- : v ; - . " - * ' 

* ' - , - - 

. .*.„.. c ? m P ute • the MD5 hash, for the specified- string-,- returning the hash 

* a 32 b xor of the 4 hash longwords. 

* Results : ■ 
hash int. 

* ' * ."'■.* . 

* Side effects: - •„*■•;.-•■.. • : .\ : ^. ■ 
None . - • ~: I 
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static int compute_ihash:(char^ >"stx) ' ; : ' : : - r ' 

{ , r- , • .-. S r: 2 : 

MD5_CTX md5; ^ \ ^ sr.:;jc wi \. 

unsigned char hash [16] ; r: 
unsigned int *pl; ; ' ' ^ * n * 

unsigned int hashi = 0; * ! -fx r.-\- 

MDInit (&md5) ; ■• ?i 

MDUpdate (&md5, (unsigned char *)- str/-^ strlentstr) / ; 
MDFinal (hash, &md5) ; 

pi = (unsigned int ■*) hash; . ■*"'- 

hashi = *pl++; * . - ^ : 

hashi ~= *pl++; ( .*V • Li-*-^** 

hashi A = *pl++; - . - 

hashi *pl++; 
return hashi; 

} 



* computeHash * 

* . 

* Compute the MD5 hash for the specified string, returning the hash as 

* a 32 -character hex string. 
* 

* Results : 

;„ Pointer to static -hash string - - - - - - ■- 

* 

* Side Effects: k -. * • 

* None. 

*/ v; > cr: - * • • - ' : > 

static char * computeHash (char *str) 
{ 

int i; 

MD5_CTX md5; 

unsigned char hash [16] ; 

static char hashstr [33] ; 

char *q; • ' 
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• z. ' NDSInit { &md5-) T ; - - " 2r: -~ : c • " ; : " 

MDSUpdate <&md5, (unsigned char' *) str / strlen (str) j ; 
MD5Final (hash, &md5) ; 

q = hashstr; . \ . 

for(i«=0; i<16; i++ { 

sprintf (q, "%02x» , hash[i] ) ; . ., . Z i : , ^ , r 

q +« 2; 

} ■ 

*q = '\0' ; 
return hashstr; 



* TICKET_ParseTicket : 

* Called by dorequest, before any region commands or mount handl 

* have run. We parse and handle incomeing sid' s "and" tickets . ^ 

* ■ ,r.: r ■ . I- - '. 3._J- - jv/ 

* Results: ir r :; ' 

* None r 

* Side effects: ; "* 



* 



int TICKET_ParseTicket (HTTP_Request *reqPtr). . .. . , . ^ 

, v. . . , ... .-„-..> . - ............. 

int status '« HT_OK; . . ........ -i . -. r • : • 

— .-- v ^^r.-. . * ■'*-- : ' 

IncTicket Counter ( Count TotalUrl ) ; - : v. - : . - ' 

status = ParseSid(reqPtr) ; : . -i - J'- . . - ~ ■ 

-.^■^ok^^ "ST j;GK> ) Statu'S -= ' 

ParseTicke return status ; I -* ; - • - ' - : " - j> ' " - - " 

} ' -i..-. 



id -- ■ ' - • ' 
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* Called by TICKET_ParseTicket , before any region commands, or ..mount handle 

* have run. We parse and handle incomeing , , r . 

* Results: ''■ ' v ''' ' " " " * 

* None . 1 ' " ; 

* Side effects: ' i'^.-i , 5 : 



int ParseSid(HTTP_Reguest *reqPtr) 
{ 

TICKEKT — Request *ticketPtr; 
HTTP_Server _*serverPtr, ; - . - - - 
DString hash; 



Int i; 

*int *bsio^ : cn c r 3n -3q- *W .u. < : - - 

unsigned int cur_tim, tdif, exp_tim; 

char * secret; ^ 

char temp_str [512] ,* { 

char *hashP; 

int sid_ok = 0; 

unsigned char *ecp; 

unsigned int eda; 

int' eiidlan" =~ i ; 

int ipi,ip2, ip3, ip4; 

/* fetch the server private ti&fcet Extension data */ * " " " 

/* note that this sets up a default ticket block for both SID's and Ticket a 

serverPtr = reqPtr->serverPtr ; : i0 - ' - r 

ticketPtr - ( T I CKE T_Re que s t *) HT_GetReqExtData (reqPtr, TicketServerData . tic 
ASSERT (ticketPtr « NUI*L) ; \ 1 "-- r -^ - T ' * ' 



ticketPtr = (TICKET_Request *) Malloc (sizeof (TIGKET^Re^uest) 7 ) f -■«•'•■* - :: 
H T_A^eq?xtDat^ («qRtr :iif TicketServerData . ticketExtensibnld, ticketPtr, f i 
DStringlnit <&ticketPtr->rawUrl) ; . .* -;v.:- . -v. - x'. < 

DStringlnit (&ticketPtr->sid) ; 
DStringlnit (&ticketPtr->f ields) ; 
DStringlnit ( &TicketPtr- >signature) ; 

DStringlnit (^TicketPtr- >ticHetIP> ; 

ticketPtr- >valid = 0; 

ticketPtr- >sidDom -1; 
ticketPtr- >ticketDom = -1; 
ticketPtr- >ticketExp -i ; 
ticketPtr- >uid = o 
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TicketPtr->uctx =0; - 

sscanf (DStringValue <&reqPtr^>remoteAddr). , >«%d- td . id. %d« ,' : z±i>l &i£ 2 , &ip 3 & 
ticketPtr.->uid = ): .( : ( ; (ipl;+ip2) <<24)\ | • ( (ip3 + ip4) «16V f - (rand'O : & OxFFFF) ) ; ' 
ticketPtr->uctx =, 1;^ , f : ' - -• ■-' * - : \ 

/* we are done if sids are not enabled, or this url does not have a sid */ 
if (! (TicketGlobalData(EnableSid) ) ) re turn HT_ok ; : * 
cpl = DStringValue.(&reqPtr->url;: , ' --" - ; ; * ■ ' 

if (strstr(cpl, SID prefix) ! = cpl) .:*.'•'■-' 
return HT_OK„- 

if (strlen(cpl) sidLength) ^- " ^ '* : 

{ ,r ^ -■..'-I,..!.. 

DStringAppend ( fcreqPt r- >url , n / " , - l ) ; 

DStringAppend(&reqPtr.->path, . "/ n; ; -10v 1 : ' 7 ** * s ' * 

cpl = DStringValue ( fcregPtr- :>url ) * • "» ' - f '. ' ■ 

} ; r - . v'\ p t ? -i un • : * - :* 

cp = strchr (cpl+sizeof (SID_pref ix) i ' /' ) ; " ' ' ' *"' " J,:r * 

if < (cp - cpl) sidLength) 

return HT_OK; 1 •:>.r-:.> < •„ , . - 

IncTicketCounter (CountSidUrl) ; ' • ;v or c;-;H;.:i\_t?::u-'.:"' - • '• . 

DStringlnit (thash) ; ; * =^ * :i "*-■. 

/* if sid eater is enabled, rewrite the url without the sid, and reprocess t 
if (TicketGlobalDat (EnableSidEater) ) ^ * '"" - : - y * £,T — — 

DStringAppend (&hash, DStringValue (&re'qPtr- : =iu : rl*) ; , -1); ; 
DStringFree (reqPtr- >url) ; 

DStringAppend ( fcreqPt r- >url , DStringValue ( : &hash) &hash)^ sidLength , 1 1 ) ; 
DS.tr ingTrunc ( &hash f 0); <- — . * - J - - ; ' \ . * ' :: 

DStringAppend (thash, DS tringVaauefSreqPtr- Vpath) / -i) " a :i - : •"• ^' 

DStringFree (&reqPtr->path) ; ;L-'-:tv.. j . " " - m ^ : - - , ... - 

DStringAppend {fcreqPtr->path, DStringValue (fchash) +sidLengtn, -l) Y 
DStringFree (fchash) ; 

IncTicketCounter (CountDiscardedSidUrl) ; " * ' 1 1 ' — " 

return HT_OK; • - • ' „ * v 

} 

DStringAppend <&ticketPtr->sid, ■ DStringValue (&re4Ptr^>url) r'sidLingth). • ] 

/* first convert the SID back to binary*/ - '" - 

i = DStringLength(&ticketPtr->sid) -3; " ^- ' ' : 

bsid « (int *) radix64decode_noslash(DStrin : gVaiue(&ticket"k &i) 
iif ( (bsid == NtJUj) || (i !+i2)) goto rtn_exit; 

f ix__endian{&bsid[0] , ecp f ■" *eda) 5 ; ---'-■^'^ ■ r~ . ? } 

f ix_endian(&bsid[l] , ecp, eda) 
f ix_endian(&bsid [2] ; ecp/ eda) 
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/* check the SID version field */ - : - - *- - 7 

if (get_sid(rev_lw, rev^pos , rev_mask> . J ^.sidJrevjs:ero) goto sidjbad* " 
"if (get_sid(rsn^l_lw,rsrvl__j)ps r rsrvl - _mafik) l ! ;» o)j) goto sidbad; " * : " T 
if (get_sid {rsrv2_lw, rsrv2_pos , rsrv2_mask) !+ 0) goto sid ; bad; : " \ 

/* Get a pointer to the.- secret *J t ■; ; 'f\. a : . ■ 

secret = GetSecret (get_sid (kid_lw, kid_pos,kid_mask)i) - : ' 

if (secret == NULL) goto sid_bad; t - : ■ . 

/* hash the sid and check the signature*/ . •* 

DStringAppend(&hash, secret, -1) ; 

DStringAppend(&hash, DStringValueJ&reqPtr->remoteAddrr; >' ^ *- 
sprintf (temp_str, "%08x%0Bx", bsid [2J , bsid [i] ) ; v. ^.j-l :. . ?. 
ds t r ingAppend ( &ha sh , t emp_s t r , - 1 ) ; 

/* format of the hash string is %s%s%0Bx^Q8x" /^secret /-ip^addr, bsid [2] /bsid [1 

hashP = DStringValue (fchash) ; • L - ^ L 

act_hash = compute__ihash (hashP) ; , ' \~- lt ^ ' 5) ^ :avc , - 

while (*hashP !- 0) *hashP== 0; 

f ix_endian (&act_hash, ecp, eda) ; '\-Si.'.!) *-.r:.' ; *'* 

if (act_hash != get_sid (sig_lw, sig_pos , sig_mask) ) goto sid_bad; ^ 



V* is is ok, may be expired, but good enough, to d.d: user '-< •*/ 
ticketPtr~>uiid = get_sid (uid_llw, uid_pos,uid_mask) ; 
ticketPtr->uctx = get_si4(uctx^aj^^ >'rr. 

/* do the SID experat ion- processing*./^ : ..</_ ■ : * . 

cur^tim = (time ( 0 ) >>exp_shf t_amt) & exp_mask; o , .ia . . 
expp__tim = get_sid^exp_l>r_,exp^o^ j . • 

tdif = (exp_tim - cur_tim) & Oxffff,- . • l h ~ 

if (tdif > 0X7fff) 

{ ' a: ' X: ' r " " " * 



IncTi eke t Counter (countExpSid) ; 

goto sid_exp; 

} 



/* sid is fine, save the sid state,, --update the url-'-s-*/- • 'v 
t icketPtir- >sidbom = get_sid ( dom_lw , dom_pos , dom_ mask) ; 

ticketPtr->valid = 1; . - y ■ . - 

sid_ok « 1; t - . - ■ o ■ ■ ' - • * 

IncTi eke t Count er (CountValidS id ).;.. £ .-r ) ;: -t £ . *. -" : : ? r * 

sid_bad: 

if (!(sid_ok)) IncTi eke t Counter ( Count InvalidSid) ; , , ;> .--V/- 

sid_exp: ^ * : - - ' , 
DS tr ingAppend ( &t icke t Pt r- >rawUr 1 , DStringValue ( &reqPtr- >path) ,■*■-!) ; 
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DStringTrunc (&regPtr->path, 0); ■ " ' l '* 

DStringAppend ( fcregPtr- >path, ^-2>StringValue (VticketPtr- >ra*Url ) + sidLength, -a ) 

DStringTrunc (&ticketPtr->rawUrl, 0); \ 
DStringAppend <*ticketPtr->rai^r2 _ x) . 

DStringTrunc ( fcreqPtr- >url , 0 ) ,- 

DStringAppend < fcregPtr- >url , DStringValue (&ticketPtr->ravUri) + sidLength, -1) ; 
rtn_exit : 

DStringFree (fchash) ; - 

if (bsid != NULL) free (bsid) ; 
return HT_OK; 

} : " - ; : - ^ ' 

■* 



* f reeTicketRegData 

* This routine frees the storage used by ticket specific request 

* data. 
* 

* Results: 

* None . „ .J . . . . - . - ■ - - * • - " 

* 

* Side effects: 1 * ' : 

* Memory freed. 



;tatic void f reeTicketRegData (void ' *dataPtr) 
{ 

TICKET__Re quest *ticketPtr « dataPtr; 
DStringFree <&ticketPtr->rawUrl) / 
DStringFree (&ticketPtr->sid) ; 
. . DStringFree (&ticketPtr->f ields) ; 
DStringFree (&ticketPtr->signature) ; 
DStringFree (&ticketPtr->ticketIP) ; 
f ree (ticketPtr) ; 
} 

/* 



* GetSecret 



* Given a binary keylD, returns an ascii secret from the 
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secrets store. 

for untranslatable names, return "NULL. 



* Results : 

* II T / 



I've got a secret, now. you- do v too ; 

* • * 

* Side effects^ 



*/ 



char *GetSecret (int kid) 
{ 

HashEntry " entryPtr ; 

entryPtr + FindHashEntry ( ^Ticket Serve rData . Secret sKid, (void *) kid)- 
if (entryPtr == NULL) return NULL; 

return DStringValue ( { (DString *) GetHashValue (entryPtr) ) ; 



* GetKidByKeylD -- 

* Given an ascii KeylD return the binary Key ID, 

* for untranslatable names, return r i. 

* Results : 

* "I've got a secret, now you c: do.tqo w ' - - 
* 

* Side effects: 



int GetKidByKeylD (char *keyID) 
HashEntry * entryPtr; 

■ entryPtr = FindHashtotrV(V £[T YcketServerData.KeylD< (void *) keylD) 
if (entryPtr == NULL) return -1; . . A . ........ 

return (int) GetHashValue (entryPtr) ; 

) ' .... 
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* 

* fieldParse * f 

* Given a string, a separator character, extracts a field up to. the 

* separator into the result string. *' 

* Does substitution on '%XX' sequences, and returns the pointer "to the 

* character beyond last character in '*endptr'. - 

* Results: - ■ I : * »* *-"■ . * ! - ' : 

* Returns a malloc'ed string (caller must free), or NULL Tf' an 

* error occurred during processing (such as an invalid sequence). 
* 

* Side effects: 

* None . ' . " 



*/ ^ : 
#define SIZE_INC 200 

statiic char *f ieldParse (char *str, char sep, char **endptr) 
char buf [ 3 ] ; 

char c ; - r - *"- 

char *end, *data, *p; 

int maxlen, len;. - - . ; a* ! 

len = 0; " v-.. '* . *■> 

maxlen « SIZE_XNC; : . .;: c T . .ju-.. . *~ •-- " - 

p = data = mallpc (maxlen) ;vr f ..r; a'. .; ■ * ^' ' ^ ■ ' "i" 



/* 

* Loop through string, until end of string or sep character. 
*/ 

while (*str && *etr != sep) { 

if(*str == '£') { ; :■.;.* : . - ^' * - " " : 

. . . if ( lisxdigit (str (-[l3 ) • |~|- ! isxdigit"(s*tr 12] *)*) ' f 
free (data) ; 

return, NDLL;_ . " J.'.-'-.'. r ~ ' - - - ■-■ 

} • 
buf [0] = str [1] ; 
buf [1] = str [2] ,- 

buf [2] » '\0' ,- • " 

c = strtoKbuf, &end, 16); 

str + 3 ; • 
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} else if (*str =='+') { 

c = ' '; . _ . .. . .... 

str++; 
) else 

• c = *str++; 

*p+i o c; . , 

len+ + ; , _ . . r - .- v. 

if(len >= maxlen) { ....... i 

maxlen += S I ZE_INC ; 

data - realloc (data, maxlen); 

p = data len; . , ■ . - . r , 



} 

*p+ + = ' \0' ; 
*endptr = str; 
return data; 

} 

/* . . 



* DomainNameCmd 

* - , 

* A call to this routine, builds the ascii domain name* - 

* to binary domain name maping structure for a numeric domain. 

* Syntax is Domain number namel name 2 name 3 name . . .name_last : ! 

* At least one name is required. The number is decimal and * 

* can be any value except -1. -1 is reserved.as a* marker 

* for untranslatable names. 

* Results: ■» ^ Cw ;> •■; I . <. . 

* None . 

* .»-..- 

* Side effects: 

* Commands are validate, and entries added to the map v . 



* - 



*/ 

static int DomainNameCmd (CI ientDat a clientData, Tcl_interp *interp, 

int argc, char **argv) 

{ 

int new, i ; 

HashEntry *entryPtr,- t ~ 

int DomNumber; 
DString DomName; 
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if (argc <3) 

{ ' 
Tcl_AppendResult (interp, argv[0], " directive: wrong number of " 
"arguments, should be \"3\ n ", Is- s ■* 

(char *) NULL) ; 

return TCL_ERROR ; , _ . . - , - — 

"* } * "■" " * 

DStringlnit (tDomName) ; , ..... t , ■ >■ : , .* - , - - ; 

if ( ( (sscanf (argvtl] , "%d", &DornNumber) ! = l || (DomNuinbea: ; i= -2) )-) 

Tcl_AppendResult (interp, argv[o], « directive: n , 

"Domain number must be an integer, and no€-' equal -to' -1°, 

value found was n ,argv[i3, 
(char *) NULL) ; 

return to TCL_ERROR; 

for (i = 2; i < argc; i++) > 1 • od b.'j.:^:"d , :i .~f t : ' 

DStringFree (&DomName) ; 11 ' .v.;;"r~ 
DStringAppend(&DomName, argv[i], -1) ,* 
strtolower (DString Value ( &DomName )) ; 

entryPtr = CreateHashEntry (&TicketServerDa"ta .Domains 1 , -bstring;Vaiue 
( &DomNam 

if (new == 0) i;^ . -r. v.: . - \^> ; > - .v ;v 

Tcl_AppendResult (interp, argv[0]v /^-directive : * -r: t -v...; ; -- 

"Duplicate domain name specified, ' " , argv[i] , 7 * - r rt:-., 

(char *) NULL) ; 
return TCL_ERROR; 

SetHashValue (entryPtr, DomNumber) ; ■* r ; -.v^. .» -* . 

DStringFree (iDomName) ; , = « :..;o- f ' ' * i >'*-•:>. V; 

return TCL_OK; 



* SecretsCmd 

* A call to this routine, builds kid to secrets table 

* Results: 



; SUBSTITUTE SHEET (RULE 26) 

BNSDOCID: <WO 9642041 A2J_> 



: WO 56/42041 



PGT/USSftf/07838 



-43- 



* None . 
* 

* - Side^e-f-f ects- -. , 

* Secrets are stored . 



*/ " 
static int SecretsCmd (ClientData clientDate, Tcl_lnterp *interp, 

int argc, char **argv) -v, - ■ * '■"■*■• - 

{ 

int- newKid,newKeylD; . . - . , i . ■. ; 

HashEntry *entryPtrKid = NULL, *entryPtrKeyID = NULL; 
int Kid; . y., ; j v-;*t . ~\ . y >. "Z2 : * ■» . * ' 

DString *dsptrKid; ^. s • - ? :r-' r. " . 

if (argc ! = 4 ) j 

Tcl_AppendResult (interp, argv[0], » directive: wrong number of " ; / 
"arguments, should be \"4\ M ^ :pz-. .: , - - " > 

(char *) NULL) ; 

return TCL__ERROR; ; l v -*r<; i : r ic: r" r> ~ ' J :r ~ : 1 •: 

,,i,f (sscan.f.fargv:t;2.] , '^d" f '.:&Kid?) r\ W i>- : - ■■ ■ ^ - :r f *|t 

{ ' ' 
Tcl_AppendResult (interp, argv[03 , ~ 
" directive : KeylD must be an integer" , 

" , value f ound :was -^"V :argfv[2Jv * " *~ -* ■- '• : - . "c..= ;-r- _ 
. (char *) NULL) ; 
return TCL_ERROR;- :t * , : i - ^ ^. -o~ " ^"r ' . - 

} ' 

entryPtrKid = CreateHashEntry <&Ti eke tServerDat a . Secret sKid, (void *) Kid, &n 
if (strlen{argv[l])) ; t. :- : . : ry:r. • V ! " 

entryPtrKeylD = CreateHashEntry (&TicketServerData . KeylD, (void *) argv[i], 
if ((newKid == 0 | | ( (newKeylD o) && strlen (airgv [1] ) ) )* T " ' ' " 

{ ..,."7 ..:.v.„- 

Tcl_AppendResult (interp, argv[0], 

" directive: Duplicate Secret specified for KeylD 
argv[i] , 

(char .*). .NULL) - r - ----------- 

return TCL_ERROR ; 

} - , * 

if (strlen (argv [1] ) ) 

dsptrKid = (DString *) malloc (sizeof (DString) ) ; 
DStringlnit (dsptrKid) ; 
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DStringAppend(dsptrKid*, argv[3], ■ • - -* l * ' - 

SetHashValue (entryPtrKid; dsptrKid) ; bh V : " : ~ ~ J fcJ ' " 

SetHashValue (entryPtrKeylD, Kid) ; : *' ~ : '* ' " . 

return TCL_OK; - ;: * " ;v: -"'* ' ' ** ■' • - ■ 

* 

* TICKETjJInit'ialize ; ' r * - ' ' r * * "' ; ; " : 

* ( j " . u ' . -j T . *z - • . - _ - - * -■ . 

* Calls all^^lie-neceeeary routines to^initia picket subsystem. 

* Reeults-;: v >.'.:. " **-'-<' : z - ■ i- v .*: -v; *. 

* None.; ^1 ^ ~- "-■» •'' J " 3 ■ r * z - 

* Side effects?"^. . {-r*r.: f : .- *:-\;: -.3.- .-.''y .;V J^^cir'r^^r^ 'a^is-.: ... ; 

* . Commands - r a&ded to the' region' interpreter! " ■ ^ — -* 

* S X D " / @© M : iir 1 - *"c a t che r' : 1 de c 1 a r e id / " ' r Ut " T " - - 

int TICKET_Ini tiaMze (HTCPjSerVeV 'i^kVrVeVVtr # ' TcY Interp ^interr))" 
TicketServerData . ticketExtensi6rild :i = 

"ticket . : " • 1 1 ' : - ; "~ - ? ^ . " w • :;n ' - - l ' 

; . . t ;:^:.- «or«. . * .» «- V: 

Ini tHashTafcl-e ( &T£cketServer0at'a i . 'secret^skid , * ic^6^j^6RDj^^) ; 
InitHashTable(&Ticket3"erverdata;£eyilf # ' "f CL "string KEYS)- ' , 
InitHashTable ( &TicketServerData'. Domains/ TCL^STRINg' KEYS ) , 

/* initialize Server ticket ' data 'i"/" 1 ^ 1 " ' * * " ' ^ ^ ' ' " * J1 * 



DStringlnit ( &TicketGlobalData (TicketExpHandler) ) ; 
DStringInit'(&TicketGlobalData(TicketAdrk^ ) ^' 

TicketGlbbalData (FreeArea) „ o ? " 

TicketGlobalData (EnableLocalAuth) « o ; 

TicketGlobalData (CurrentSecret) = 0; 

TicketGlobalData (EnableSid) = 0; 

TicketGlobalData (EnableTicket ) s o ; 

TicketGlobalData (EnableSidEater) = 0; 

TicketGlobalData (LocalAuthExp) = 60*30/ 

/* ticket event counters */ 
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TicketGlobalData (CountTotalUrl). ~= 0; : r».- •. 

TicketGlobalData (CountSidUrl) « 0; 
TicketGlobalData ( Count Val ids id) . , r . o t - -; , - <-r 

TicketGlobalData (CountExpSid) = 0; 

TicketGlobalData(CountlnvalidSid) , t = ,0*; ^.i..-,.^ v.-W-v ' 

TicketGlobalData (CountCrossDomain) = 0; 

TicketGlobalData (CountLocalredirects) = o ; 

TicketGlobalData (CountReraoteRedirects) = o ; 

TicketGlobalData (CountNoRe directs) « o ; 

TicketGlobalData (CountDiscardedSidUrl) = 0; 

/♦"Ticket" related Config commands */ 

Tcl_CreateCommand(interp, "Domain", . . ; DomainNameCmd, 

(ClientData) serverPtr, NULL) ; ■ . w 

Tcl_CreateCommand (interp, -Secrete" , , _ , „.„ ,Secretsem$, - 
^ ^ T ' *' ^(£lientDat:ay serverPtr, NULL) ; 

Tcl_CreateCommand{ interp, "AutnenticationServer ■' , CmdStringValue, 

(ClientData) &TicketGlobalData (AuthServer) , NULL) ;. „.nc>; 
Tcl_CreateCommand(interp, "TicketExpirationHandler" , CmdStringValue , 

(ClientData) &TicketGlobalData (TicketExpHandler) , NULXi):;^- :t*> tO. # * 
Tcl_CreateCommand(inter^, 

( ClientData) &Ti eke tGlobalDat a ( T i c ke pAdrHandl e r } , - 3 NULfc) ; ' : : 

Tcl_CreateCommand ( interp , " FreeDomain- , CmdlntValue , 

(ClientData) &TicketGlobalData (FreeArea) , NULL) ; 

TcT_CreateCommand"( interp, "EnableSidEater" , CmdlntValue, 

(ClientData) &TicketGlobalpata (EnabiegidEater),, NULL); : : 
Tcl_CrekleC6Tnmandi ihterp , "EnableSid" , * CmdlntValue , 

(ClientData) &TicketGlobalData (EnableSid) , .,NULL).;- . ■■ 

i^l^e'ateC^aiid ftnterp , : 8 EnablefiSet « , CmdlntValue, , .-. ; ■ 

(ClientData) &TicketGlobalData (EnableTicket) , NULL) ; 
Tcl_CreateCommand (interp, ."En&telgpapnth", ^ CmdlntValue^ . v. . / . 

(ClientData) ^Ticket^ NtHA) vl - 

Tcl_CreateCommanti;( interp , ' » Curr^tS^cre t ( ." , . M \ . CmdlntValue;, u r .„ 

(ClientDa ; ta) ; '&Tick1stGlobalData ! (Cur rent Secret ) , NULL) ; 
Tcl^CreateCommand (interp, "LocaUuthExp", CmdlntValue', 

(ClientData) &TicketGlobalData (L.pca^utlu^xpK, NULL);. * . - ' 

HT_AddMounthandler(server>tg^ TlCKET^DebugHobks ;C 

"/omiserver", NULL) " orr - "" ^ ~ ^ \ . ... 

return HT_OK; 
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* TICKET Shutdown 



* Calls all the necessary "routine* 'to shutdown the"' ticket' subsystem. 

* Results : ■ ' * " ' * * " " " 

* None . 
* 

* rr.Side; effects:" • ~* v ' .■....?*.- . . 1 

* Memory freed 



void TICKET_Shutdown (HTTP_Server *serverPtr) 
{ 

HashEntry * entryPtr; 
HashSearch search; 
DString - *dstrin§; 



":i -* 1- i Jo O <■ 



DStringPree (&TicketGlobalData (AuthServer) ) ; 
DStringPree(&:TicketGlobalData(TicketExpHandler) ) ^ ^ 
DStringFree (&TicketGlobaIData (TicketAdrHandier) ) ; 

entryPtr = Fir stHashEntry (&TicketServerData . Secret sKid, tsearch) ; 
while (entryPtr ! - NULL) 

{ ... ^ . .. ... 

dstring = GetHashValue (entryPtr) ; 
DSt ring Free (dstring) ; " 7 ' 
free (dstring) ; 

entryPtr = UextHashEntry&search) 7 
} 

DeleteHashTable (&TicketServerData.SecretsKid) ,- . 
DeleteHashtable (tTicketServerDaVa'JkeylbV; *' 
DeleteHashTable (StTicketServerData .Domains) ; 



* TICKET_AddRegion Commands 
* 

* Add TICKET region commands for authentication/authorizati 
decisions . 

* 

* Results: 

None . 
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* Side effects: 

Commands added to the regipnj interpreter . 



void TICKET_AddRegion Commands (HTTP_Re quest *reqPtr, Tel -Xnterp *interp) 

{ . .' Z . • . . y. - 

Tcl_CreateCommand(interp, "RequireSID" , TICKET_RequireSidCmd, 

(ClientData) reqPtr, WLLl; . - 

Tc'l_Cr'eateConunand(interp, "RequireTicket" , TICKET_RequireTicketCmd, 

(ClientData) reqPtr, NOLL) ; 

} . .. _ ., , - r , . - 



* TICKET GetCGIVariables 



* Add TICKET CGI variables to the CGI variable table * a - 

* Results: . ^ --.-. x - 

lf " "'" ^None^ \ a "*. _ _ t ..... 

* 

* Side effects: 

Extends the CGI variable hash table . 



*/ 

void TICKET GetCGIVariables {kVtP Req^esV *reqK. . . ... 

T I CKET_Re que s t *ticketPt~r **='°(TICi^T_Request *) 
HT_GetReqExtData (req . Tickets 

/* _ 

*" If " there*' s no extension data, then we're not doing a ticket. Just 

return 

*/ ....... .... m - ■ 

if (ticketPtr == NULL) ^ , 

" ' : fe€urrij Vf x: '' : ~ ' r " ; ' . ' " "' * • ,.. f - 
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if (DStringLength(&ticketPtr->rawUrl) 1=0) 

HT_AddCGIParameter<req, "TICKETJTRL", DStringValiie (i'ticketPtr- 
>rawUrl) , FA 

if (DStringLength (&ticketPtr->sid) J= o) 

HT_AddCGIParameter(req, "TICKETjSID" , DStrin'gValue (tticketPtr- 
>sid) , FALSE . t , •..-'£•■■'■> 

if (DStringLength (&ticketPtr->f ields) !*= o) 

HT_AddCGIParameter < req/ "TICKE^FIELDS" ; DStringVaiueUticketPtr- 

>f ields) . 

if (DStringLength(&ticketPtr->signature) 1^0) * — > J" ~ ■ '- : * " v 
HT-AddCGIParameter(req, «TICKET_SIGNATURE" . DStringValue UticketPtr- 
>signa . v- . . l ' " ' 

}/* 



*TI CKET_Ge tUr 1 

* ..■ ' " ' 

* Return the orignal url (with sid) 
* 

* Results: . : _ v r . - 

* The URL. 

* ■.-'•■■.»-■"•''';■-- 

* Side effects: o *:* 

None . 



*/ 

char * TICKET__GetUx"l (HTTP_Re quest *reqPtr) 
TICKET_Request *ticketPtr ; 

ticketPtr = <TICKET_Request *) 

■ - ■- . s: .. HT^GetReqExtData^re-qPt-rv' TicketSeWerData : . tickStBxtensionld) ; 
if ( (ticketPtr I- NULL) && ' j ■ - -" v 

(DStringLength (&ticketPtr->rawUrl) != 0) ) 
return DStringValue (&tdckWpVf->ri^riVy ' " " " : " * 

else 

. - return DStrdngValue (fcreqPtir 1 >iirl j } Lr ~' " "' " " ' : '* ' 

} • :o 



TI CKET_Conf igCheck 

Perform late configuration checks 
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* Results:. ..... . - : <: -t~v - ■ . ,. . . v.\ V r 

* - .... 

* Side effects: .» -, ^-j^-^-c -; . c , : * 

Possible message loged/printed, and program exited." 

void TICKET_ConfigCheck()-- . - . . J ^ i - ' 

HashEntry *entryPtr; ... 
int kid; 

if ( (TicketGlobalData (EnableSid) & -Oxl) >- o) 

LogMessage (LOG_ERR, "EnableSid must be 0 or l») ; ; 

exit (0); ... . .^..— c; . 3 r.iu.;*.- 

} 

if ( I (TicketGlobalData (EnableSid) ) ) return; : - " ' * 

kid - TicketGlobalData (CurrentSecret) ; ; * 
if (kid && kid_mask) != kid) »'-*.. * ' 

{ 

LogMessage (LOG-ERR; "CurrentSecret %d is invalid" , kid); 

exit(0) ; - /- * * 

} 

entryPtr = FindHashEntry ( &TicketServerDat a .Secret sKid, (void *) kid); 

if (entryPtr == NULL) 

{ - v , , 

■ - - -r^AW^ defined -for - CfcehtSecret %d«, kid- 

exit (0) ^ :Ji a v . v ; 

if ( (TicketGlobalData (FreeAreaJ- & ~0jx255) o)': - 

LogMessage (LOG^ERjl^ ^Free^ea ,nust-: 1 be. between' 0 arid 255") ; 
exit (0) ; 

} 

if ( (TicketGlobalData (EnableSidTicket) 1 & -0x1) != o) 

LogMessage (LOG_ERR, "EnableSidTicket must be o or l") ; 

exit (0) ; ' r 

} ~ ' 
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if ( (TicketGlobalData (EnableTicket) & -0x1) !- 0); " ' 

{ ' *. ' 

LogMessage (LOG_ERR, "EnableTicket must be 0 or 1") ; 

exit (0) ; * ~ • ■*' - - " - - 

} - — 

if ( (TicketGlobalData (EnableLocalAuth) - &- -0x1) " 1 = 0) 

" { 

LogMessage (LOG_ERR, "EnablLocalAuth must be : 0 ot'l") ; z.r J \- 
exit (0); - *- 0 : m - . ' : r- 

} 

* _ , _*.f _ jr. .-- . * "* 

* ; - • ; ' ;: . " •:. ■. ': . .* 

* TICKET_DebugHooks ? : 
* 

* Check for debug hooks and execute if -found! - T v-l r..^ v - ; 

* . .:\~.. " ■ \ '* rr^'^ sv. • • .3L.S./.-U'. *: _ -V. 

* Results: ; .^r- 1^-" ' r "^ : S2-jLj:S_"\'T*":- 

* None. •-:„.*.,'•-».:■ f.» * „• _ . •• . ".-sr . .. :i 

* . v „ ; . " . :■ . . ■ ^ "xi.;^: .t- 

* Side Effects : 

- * . None . t . . ~. . . . . ' - ... r ".• ' - r- " ' * •' ^ - * '* - 

* 

. tatic void^TIGKET^DebugHooks (ClientData clientDat r a; char *suf f ix'' vr " ' 

HTTP_Request -"reqPtr) v J'- 

if (strcmp (suffix, "/ticketstatus" ) == 0) * — ; - 

DumpStatus (reqPtr) ; ■'- '-' -* - ' i; - ■ •' 3 *- ' "■ 

•iiT-FinishRequest (reqPtr) "-v • ^" ' 

return; . v " :f . : .::^* : - 

HTTP_Error(reqPtr, NOT_FOt7ND, "access - denied • due to ^ooriy fbrme'd url « ) ; 
t HT_FinishRequest (reqPtr) — ■ ' - ' ' :; 

return; - .' : • ■ r.;r-™ 



* DumpStatus u . . ^ 
* 

* Dump the server's ticket -^sfeat ' s 3 
* 
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Results: 
None. 

Side effects: 
None. 



*/ 

#def ine BUFSIZE 1024 - v „ v . ; ■ ,* ? . Z 

static void DumpStatus (HTTP_Request *regPtr) 
{ 

HTTP_Server *serverPtr = reqPtr- >serverPtr; 
char tmp [BUFSIZE] , timeStr [BUFSIZE] ; 

struct utsname sysinfo; . ~~ 

time_t uptime ; 
int hours ; 



HTTP_BeginHeader{reqPtr /-: ^2 0 0 OK),; - : - . : . «■-.-. r.i.; -;i 
HTTP_SendHeader(reqPtr, « Content- type : text /html" , NULL); 
HTTP_EndHeader (reqPtr) ; : f 

HTTP_Send< reqPtr, "<title>WebServer Ticket Status</title>" ,* — 

M <hl>WebServer Ticket Status</hl> : , NULL); ■ •? 

HTTP_Send (reqPtr, »<p><hr>><p><h2>Ticket Log</h2>« , "<p><pre>\n« , NUtL) > - 

. s P ri . n _ tf <tmp^ » . <b>*s:. </b>. -Ad\n»V "Number - of access «; "ticket 
HTTP_Send (reqPtr, tmp , NULL) ; 

sprintf ,<tmp, " - <b->%s.: . </.b> jz:-W\n*,.;^Numbei3rLof SID URL' s v ", r Ticket 
HTTP_Send (reqPtr, tmp NULL)-.; 5 L - je ;j , ~ . 

sprintf (tmp, » <b>%s: </b> %d\n : , "Number of Valid SID's • ", Ticket 
HTTP) Send (reqPtr, tmp, NULL).*- ./* 3 --- s .v - ■ .■•*'■ . - : : - :. , : 

sprintf (tmp, « <b>%s: </b> %d\n: # "Number of Expired SID's ", Ticket 
HTTP) Send (reqPtr, tmp, NULL); c . i . ^ * 

sprintf (tmp, " <b>%s: </b> %d\n :,. "Number of Invalid -SID^s ", Ticket 
HTTP ) Send ( reqPtr , tmp , NULL) ; . ;: _ , 

sprintf (tmp, - <b>%s: </b> %d\n:, "Number of XDomain accesses ", Ticket 
HTTP ) Send ( reqPt r ,. tmp, -NULL) :V t ----- 

sprintf (tmp, <b>%s: </b> %d\n= f "Number 'of -Local Redi*ects> : « , Ticket 

HTTP) Send (reqPtr, tmp, NULL); 

sprintf (tmp. - <b>%s: </b> %d\n:, "Number of Remote Redirects'", Ticket 
HTTP) Send (reqPtr, tmp, NULL) ; 
„ sprintf . (tm P^V-<^>%s:_ </b> .%d\n:, "Number -of No Auth servers' ", Ticket 

HTTP_Send (reqPtr, tmp, "</pre>", NULL) ; i"- . 

■uptime = time (NULL) = serverPtr- ^started; ... • • \X 

uname (fcsysinfo) ; 
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strif time (timeStr, BUFSIZE, "fcA, %d-%b-%y %T M , 
local time { serverPtr-- >started) ) ; 

springf (trap, "Server runing on <d>%s</b> (%s %s) port %d, has been up \ 
since fcs.<p> n , sysinf o. nodenanre, sysinf o. sysnamer : 
sysinfo. release, serverPtr- >server_j>ort , timeStr) ; 
HTTP_Send(reqPtr, tmp, NULL) ; 

sprint^ ( tmp z^. »w <b>NumBer bf eonnections': * ' ^ ^V/n> ~%d\n w V 

r : serverPtr- >numConne.cts)>? ";: : >?: j . \ f ->'\ .^i ... 
HTTP_Send(reqPtr, tmp, "<pxpre>\n n ( tmp, : NULL) ,- - .r,v-*;<:. ' 
sprintf (tmp, •' <b>Number of HTTP requests: . </b> %d\n" 

■HTTPj_Send('reqPtrr trap," *</pre><p>», NULL) ; 



**t '■; i, i3 j 



, . hour;?. - ~ max. (uptime a/ : 3£oov > D ; "«o 5 .ii-:*.v \; ^i^/ 'iic lo 

. sprintf (tmp,, "This ; .server, is averaging; <b>%rd</b>i ; >re'qaest"s^per"' hour . <p>« 
s e rverPtr->numRe guests /hours ); ^ , f ; . „ . ......... 

HTTP_Send("reqPtr # ' tmp. NULL) ; 

DumpRusage (rejgPtr k& T5 r.v * Y ' ^ ^ c-^r.rJ; £ 1 o 
/* r^mpConnec^ions,^^ r... 



DNS_DumpStats(reqPtr) ; 



HTTP_Send (regPtr ,i r<p><hr>«adaress>« / bstringValiie (^tl^e'rv^rSortware) , 
^ . "< /address >\n" , ^JULLH ^ ^;v. :r^n . . : : -'*-M v - 



' re"qPtr- iclone = TRUE ; 



} 

#undef 3UFSIZE 
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'What is clexmed zs.:.; 



CLAIMS 



1. A method of processing service requests from a client 
to a server systep .-..through r.^i network comprising: 

5 forwarding a service 4 request from'thfe client to 

the server system;* 1 ' 7 " r: <0 " ' . - - 

' - returning a session identifier from tjie. server 
system to the client; and 

appending the session identifier teo the request 
10 . .. j an& subsequent service requests from the client to the ? 
server system within" session of requests. c- 

2. A method as claimed in Claim 1 wherein: the set^ei? 1 : 
system tracks an access history of - sequenced "of ' 
service requests within the session of requests. :T :> 

15 3 . A method , as claimed j in . CJLaixa J2 . wherein : the server : 

system tracks the access history to determine service 
requests leading to a purchase made within the session 
of requests. 

4. A method as claimed in Claim 1 wherein the server* 
20 system counts requests to particular services 

exclusive of repeated requests from a common client. 

5. A method as claimed in Claim 1 wherein the server 
system maintains a database relating customer 
information to access patterns, the information 

25 including customer demographics. 
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6. A, method . ^ts,. claimed .-inL .Claim.. 1- wherfein* the feerveir 
^ ■.. .system ; subjects the- client, to* ah Authorization" routine 
prior to issuing the session identifier and v tiie s 
• I session identifier is protected from forgery. 
-zs.:-:c> , .3 .t,.i. A v * rvr »v. 5: . «u ^ v*r. " ; 
5 7. A method as :: c learned in Claim r 6 ^WhdreTri the "server 
system comprises plural servers! including r an " 1 " ' 
authentication server which provides session 
identifiers, for service, requests to : multiple servers . 

8. A method as claimed in Claim 7 whereihV v *~ J n ~ :: ' ' 1 
10 ■ v a client directs a service request to a first 

s^ryer ; which- is to provide' the requested service ; 

the [first server checks the- service reqiiest for a 
session identifier and only services a servicii^ Request 
having a valid session identifier, and where the 
15 service* Request has ino valid identifier t' e b *' 1 * ; ' 1 

/ s-i *4rt?he; ?ftirs_t :server redirects tlie r ^service 1 
, ^request, ; f rom the ^client to ^ the : aii£hor ization s sdrVer ; 

the authorization server subjects the client 
to the authorization routine aind issues -the session 
20 identifier tp.be, appended >oto th"e ! -ser vice ^request 0 to 

, the first; server; r v :tx*r- v' ;m .xr - - 

j.r lA t:her client (forwards th^ service' r^qii^st ' 

appended with the sessioTivcid^entxf ier* to r the first 
server; and 

25 ' ' f Bx\:i the. first servfe^l "recognizes the ^ksion * 

G identifier and services the': service request tV'the 
client; , and: . j,-- \ .'Wr.-. ufcbs - '; « * 7 * > * L 

' :. i o t the : cl ient appends the" sess i'orr iden't i f ieir to ' 
subsequent service, requests to : 'them's erVelP syVtem 1 aiid 
30 is serviced without further authorization. 

9. A method as claimed in Claims 1 or 7 wherein the 
session identifier includes a user identifier. 
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10. A method » as -ciaianed; in^ Claims i- or : 7 C wherein tiie 1 

r sessipp, iden^if AeJT s incltxdes.. an? expiration - tiirie~ : for the 
session^- T . . _ > r • so : o . p.s^s sr" :or > -. / *.. j 
V . .v--r- --i ir^. r.«:-'J ' r,— ; ".^-j. .1.. . . * - - - - 

11. A method as claimed in Claim 7 wherein the session 
5 jldeqtif ie^ provides recess to a pif-crtiected domain to 

which ,_the ^essipji ha^s aecess ^auth^rixafioii „ 

12. „ ^A. s m<et2^gd ; LjL c^aimesd; -in.; Claim 11 Wher'efrrP thfe session 

identifier is modified for access to a different 
protected domain. •* r i: > s '.^ c:i . -n* .~j. r o 2- c ic:!*^"*' ■ 

10 13. A v meithpgl , as, : claimed di> Claim 7 ; wh£rfcin the* session 
, , identifiers prpvide$. a feey^ identifier fd^-key- 
, :i maj>a^ment: . a 3 ^; ra2 i rrc f^w; i:!* im^c/ n ; r - 

14. A method as , claimed v*n oClaimsH or 7 nMk&Geiifi r the =''* 
seryer .pst^ro recoo5ds information ~:fi?om the session 

15 i<i^^ifie5 ( in ^transaction log in the rs^rVei? system. 

15 . A : .meiyxo4 ;i as ^claimeci r in ^COLaims 1 or 7 wherein - 
communipations -J^twe^ rthd: -:clieivt r and -server 1 system 
are according to hypertext transf eif -protocol^ and' the 
session identifier, is appended as- part of a path name 

20 in_a ^uniform resource ^orcator.^ *? . " >..:n>r : 3 

16. A i^etj\p^ £^ claiped c i^ ^l^im:JL5 wherein the client 
mod if^^s t . "the, path name^ af&& current. u!hif orm- resource 
locator using relative addressing and retains'-' th^ : 
session identifier: p^tictnr off. the path name' Unmodified 

25 ^fpT^S}^c m c^siSxy.^Tex^ia&pG in.^theo session; : T s * "* - ^ d 
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17 . j t*a .method as claimed - in : Slaim i or 7 further ' comprising 
excluding requests made to information from the client 

.^within;, a defined period <: 6f time.-'" v. .? ^ 

18. A method of processing service requests from a client 
5 to ^ .server system through a 'netwdrk bomprisirig: 

. 'responding to a request 'for a : docuiclertt; received 
from the client through the h^ti/drk; " H 5 c " " L 

appending a session identifier, which includes a 
■•-■r- user identification, to the r^uiest; - and' * Ji ~ '■ 
10 k ^ returning the J ireque'sted 1 document ' wherein the 

document^ is customized- for a v particular 1 ii's^ir based on 
the user identification of tfte r session identifier. 

19 . A ■method' > of * processing Service ^request" fdt 1 a document 
. received:* f rotnP^"- client { through 'netwdrlc^ in -whifeh' "the 
15 document has been purchased by a user comprising: 

•responding t:6 a request fdr 'a ^document' 1 received 
? r from na .client- through the network J i r n which the 
: : i document has bieeri purchased by the user; ' 

appending an authorization ? ideritifier~t6 the 
20 request ; "and : r " t: ? :r - - r j: " • - — ~~* 

\r a ?s returning -"the requested "document if tfi^ 

authorization identifier indicates that the liSer is 
authorized to access the^documerit. ' 

20. A method -as "claimed : in s ci&£ti~i9, wherein J the : 

25 authorization identifier is encoded within a "session 

identifier which is appended to the request. . 

21. ' A method of processing Sefvibe irequests l frbm^ a client 

to a server 7 system : through 'a network' bompr ising : 

responding to a request for a document received 
30 ;from a client -through the network; " x " ~* " 11 

:; i-i appehding a user Hd^ntif ier 1 to the request ; 
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. ... returning the requested document to the .client, - 

charging the user identified invthe identifier 
for access to the document. 

5 22 • A method as claimed -in. Cla^m ^l, -^wherein a user 

identifier., is. ^encoded -within a session -identifier 
which is appended.,. t o. „the request . -;r'ij... r : -*:"'-.' 

23. A method of processing service requests: , from a; client 
to a jseryer; system through r & petwprkr- cpmpri^Ang: 
10 , . ... f pp/^rding a service request- f rpm the^client to 
the sejrver, system; and . ; i ... r.i .J.;; ... . s/l . 

appending a session identifier to the request and £ ; 
r j . su^seqBe^ seiryiqe T regues£s from the^lienfc .rto the : ^ 
server _ { tern ^ith in a i session^of 0 r§qu§sts^; v ^ # 

15 24 . ; t An v information ^sy st em a network comprising: ^ 
ipeans ; f qr ( receiving service* •; requests t ; from clients i; 
and for determining whether a service regug^trincludes ^ 
a sessiori identifier , - sz . r,-; J -£,r r t5: 

means for providing the session identifier . in 
20 responfQ .to an initial ^egy^qe request in a session of 

requests; ,and.. ; .: . i t ^ z - L ■ ; a.<l j: \o: : * :\ * 

means for se^yicing^s^ryice^request? - {tom a 
client which include the session identifier the 
subsequent ^e^yice r ; egu^|^ -being processed : in .the . <* :; 
25 ^ ^session. T , . ' . . . aL ... . ffr • -.^ ?i - - ; • 

25. An information system as claimed in Claim 24 wherein 

v /the means . f f pr,.pyo^id^g v tfe^. session identifier; ?is/;in r i .; 
seryer_sjjste^ wt^Lch^servicejS the ^requests* ^ r 

26. An information system^ . f a^ claimed in Claijm j 23 further 
30 comprising^ an. jaut^igr iz r a1^i r gn t routine for authorizing 
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the client'.prl'or 'to^ issuing- the session identifier and 
means for protecting the session- identifier froin 
forgery . 



L,r: 



27 .-.r. An information- system ;:/ as D ciaIihed in 6laim : 24 further 

comprising a transaction log 'f of Recording"" information 
from the session identifier, " '"'"* 

28 .- An information system ks claimed In " Claim 24* further 

r comprising means for 1 tradkih% access history of 
sequences of service requests within the session. 



IO 29, , An ; information -js^stem as : ciaimed in" Claim" 24 further 
comprising means J f or cburitihg^ requests to particular 
services exclusive of repeated requests from a common 
clients ^ — * - 1 - } - - 

30. An information system as" claimed iri dlaim" 24 further 

15 comprising a database tkia^irig customer information to 

access patterns, the information including ; customer 
demographics. 1 ' ' r-i;r r 

31. An information system as claimed in Claim 2 5 wherein , 
' ^ : communications between 1 the client and 1 server system 

20 are according to hypdrt!fe"§£r transfer protocol Wd the 

session identifier is appended as part of a path name 



in a uniform resource" locator." 



25 



32. An information server oh i ' network' comprising: 

> ■**■*■ v. ' means f ot" responding 1 to" requests' for hypertext 
pages- received from a client through the^ network Jdy 
returning the requested hypertext pages to the client ; 

means for responding * to further requests derived 
from links in the hypertext pages; and 
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. means f or. tracking- 'th£; : further requests derived 

from a particular h^ert^xt p,age:i.v: . . v : - 

33. An information server as claimed in Claim 32 wherein 
the requests include a.. coiranqn -session -identifier and^ 
the server tracks Requests within a session rof 
requests . . , - „ ..... ..... ^ - ( * ; v ■ *. 

34, An information . s^ryer .as plaimed int CJaimi 32~ : further 
comprising a data ba^e rel^ting^ customer demographics 



to access patterns . 



10 35. A method of providing apcess to,. informatrioni pages from 
a client to a server^. system through a -network ,* 
comprising: _ , - ^ v r? -> 

providing a telephone number at the client;? 

mapping the telephone number to a target page 

15 identifier using a translation database; r\ :.. ^ 

-^r-v- G.["/ r.:: ' - -' - ..,.../ - j 

requesting information, described .by. : th^; ip^ge ' r i 
identifier from the server system; and 

displaying a page identified by the page nc * 
identifier at the client. 

20 36. A method of providing, access jto information pages from 
* a client to a server system.,. through a network; 
"comprising: 

providing a descriptor at the . client ; $ V: 
mapping the descriptor to a target page 
25 identif ier using a translation database ; = : • . 

requesting at the client, information described by 
the page identifier from^the server system^ wit^houti 
- further user action; anci . . ... r. 



displaying a page identified by .the page 
30 ^identifier at the client. / < 
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37. A method as claimed in Claims 35 or 36 wherein the 
translation database resides in the server system 
which returns a uniform resource loctor in a REDIRECT 
command to the client to cause the client to request 

5 the information using the uniform resource locator, 

38. A method as claimed in Claim 3 6 wherein the .descriptor 
comprises a telephone number. * ; 

39. A method; as claimed * xn Claim 36 wherein the descriptor 
comprises a -descriptive tferp. ' 

10 40. A method as claimed in Claim 39 wherein the term 

includes a company name. ~ .... - . - 

41. A mejthbd as claimed in Claim 39 wherein the term \ 
includes a product name* - , — ~ 

.' * r ;y , ;i 7» ' i r' 

42. A method as claimed in Claim 39 wherein the tferm is 
15 identified by phonetic mapping. 

43!. A method as claimed in -Claims- 35 or 38 wherein the 
:: target page identifier describes a controlied~page. 

44. A method as; claimed^ in Claims 35 or 3 6 wherein the 

target page identifier is a uniform resource locator. 



I ! 



f 
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